Update cachix/install-nix-action digest to ba0dd84 #835
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: semgrep | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
permissions: | |
pull-requests: write | |
jobs: | |
python_scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: scan | |
id: py_scan | |
run: | | |
export DEBIAN_FRONTEND=noninteractive && \ | |
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \ | |
sudo apt-get update && \ | |
sudo apt install jq && \ | |
python3 -m pip install --upgrade pip && \ | |
python3 -m pip install semgrep==1.37.0 && \ | |
python3 -m pip install --upgrade urllib3 && \ | |
mkdir -p /home/runner/reports/ && \ | |
cd ${GITHUB_WORKSPACE}/ && \ | |
semgrep --config=.github/workflows/config/semgrep-python.yml --json -o /home/runner/reports/semgrep.out \ | |
--severity ERROR ./ && \ | |
echo "## Validation Issues Found (Python) :snake: " >> /home/runner/reports/python-msg && \ | |
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \ | |
echo "::set-output name=python-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')" | |
- name: Fail if found | |
if: steps.py_scan.outputs.python-found-count > 0 | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const fs = require('fs') | |
var msg = fs.readFileSync('/home/runner/reports/python-msg', 'utf8'); | |
console.log('${{steps.py_scan.outputs.python-found-count}} errors found in python files'); | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: msg | |
}); | |
core.setFailed('Semgrep found errors in Python files. Please check the uploaded report'); | |
- name: Upload scan reports | |
uses: actions/[email protected] | |
if: failure() | |
with: | |
name: semgrep-python-report | |
path: /home/runner/reports/semgrep.out | |
c_scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: scan | |
id: c_scan | |
run: | | |
export DEBIAN_FRONTEND=noninteractive && \ | |
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \ | |
sudo apt-get update && \ | |
sudo apt install jq && \ | |
python3 -m pip install --upgrade pip && \ | |
python3 -m pip install semgrep==1.37.0 && \ | |
python3 -m pip install --upgrade urllib3 && \ | |
mkdir -p /home/runner/reports/ && \ | |
cd ${GITHUB_WORKSPACE}/ && \ | |
semgrep --config=.github/workflows/config/semgrep-c.yml --json -o /home/runner/reports/semgrep.out \ | |
--severity ERROR ./ && \ | |
echo "## Validation Issues Found (c) :snake: " >> /home/runner/reports/c-msg && \ | |
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \ | |
echo "::set-output name=c-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')" | |
- name: Fail if found | |
if: steps.c_scan.outputs.c-found-count > 0 | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const fs = require('fs') | |
var msg = fs.readFileSync('/home/runner/reports/c-msg', 'utf8'); | |
console.log('${{steps.c_scan.outputs.c-found-count}} errors found in c files'); | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: msg | |
}); | |
core.setFailed('Semgrep found errors in c files. Please check the uploaded report'); | |
- name: Upload scan reports | |
uses: actions/[email protected] | |
if: failure() | |
with: | |
name: semgrep-c-report | |
path: /home/runner/reports/semgrep.out | |
bash_scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: scan | |
id: bash_scan | |
run: | | |
export DEBIAN_FRONTEND=noninteractive && \ | |
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \ | |
sudo apt-get update && \ | |
sudo apt install jq && \ | |
python3 -m pip install --upgrade pip && \ | |
python3 -m pip install semgrep==1.37.0 && \ | |
python3 -m pip install --upgrade urllib3 && \ | |
mkdir -p /home/runner/reports/ && \ | |
cd ${GITHUB_WORKSPACE}/ && \ | |
semgrep --config=.github/workflows/config/semgrep-c.yml --json -o /home/runner/reports/semgrep.out \ | |
--severity ERROR ./ && \ | |
echo "## Validation Issues Found (bash) :snake: " >> /home/runner/reports/bash-msg && \ | |
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \ | |
echo "::set-output name=bash-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')" | |
- name: Fail if found | |
if: steps.bash_scan.outputs.bash-found-count > 0 | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const fs = require('fs') | |
var msg = fs.readFileSync('/home/runner/reports/bash-msg', 'utf8'); | |
console.log('${{steps.bash_scan.outputs.bash-found-count}} errors found in bash files'); | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: msg | |
}); | |
core.setFailed('Semgrep found errors in bash files. Please check the uploaded report'); | |
- name: Upload scan reports | |
uses: actions/[email protected] | |
if: failure() | |
with: | |
name: semgrep-bash-report | |
path: /home/runner/reports/semgrep.out |