Skip to content

Update cachix/install-nix-action digest to ba0dd84 #837

Update cachix/install-nix-action digest to ba0dd84

Update cachix/install-nix-action digest to ba0dd84 #837

Workflow file for this run

name: semgrep
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
permissions:
pull-requests: write
jobs:
python_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: py_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep==1.37.0 && \
python3 -m pip install --upgrade urllib3 && \
mkdir -p /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-python.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ && \
echo "## Validation Issues Found (Python) :snake: " >> /home/runner/reports/python-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=python-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.py_scan.outputs.python-found-count > 0
uses: actions/github-script@v7
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/python-msg', 'utf8');
console.log('${{steps.py_scan.outputs.python-found-count}} errors found in python files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in Python files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/[email protected]
if: failure()
with:
name: semgrep-python-report
path: /home/runner/reports/semgrep.out
c_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: c_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep==1.37.0 && \
python3 -m pip install --upgrade urllib3 && \
mkdir -p /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-c.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ && \
echo "## Validation Issues Found (c) :snake: " >> /home/runner/reports/c-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=c-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.c_scan.outputs.c-found-count > 0
uses: actions/github-script@v7
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/c-msg', 'utf8');
console.log('${{steps.c_scan.outputs.c-found-count}} errors found in c files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in c files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/[email protected]
if: failure()
with:
name: semgrep-c-report
path: /home/runner/reports/semgrep.out
bash_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: bash_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep==1.37.0 && \
python3 -m pip install --upgrade urllib3 && \
mkdir -p /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-c.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ && \
echo "## Validation Issues Found (bash) :snake: " >> /home/runner/reports/bash-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=bash-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.bash_scan.outputs.bash-found-count > 0
uses: actions/github-script@v7
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/bash-msg', 'utf8');
console.log('${{steps.bash_scan.outputs.bash-found-count}} errors found in bash files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in bash files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/[email protected]
if: failure()
with:
name: semgrep-bash-report
path: /home/runner/reports/semgrep.out