From e59410c1f5b9c2fd4aecb3f67df5f8f53c6c4b5c Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Thu, 5 Sep 2024 12:18:56 +0530 Subject: [PATCH 1/9] feat(SEC-1211): update semgrep version --- security-actions/semgrep/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index a1ece931..14059eac 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -27,7 +27,7 @@ runs: steps: - name: SAST Scan - uses: docker://returntocorp/semgrep + uses: docker://returntocorp/semgrep:1.86.0 id: semgrep continue-on-error: true with: From ae892ed7bc00eca136a02e123a21a6a52d0ec5f3 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 03:29:36 +0530 Subject: [PATCH 2/9] Add a new entry for the Semgrep action under the docker ecosystem Specify the directory as /security-actions/semgrep to ensure that Dependabot monitors changes to the Semgrep Docker image The commit-message section uses the prefix semgrep and includes the scope to make it clear in the PR message Dependabot version updates does not support docker:// hence remove the use of this URI Ref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#github-actions --- .github/dependabot.yml | 8 ++++++++ security-actions/semgrep/action.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b55a4ce0..690a2adc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -73,3 +73,11 @@ updates: commit-message: prefix: "github-actions" include: "scope" + + - package-ecosystem: docker + directory: "/security-actions/semgrep" + schedule: + interval: "daily" + commit-message: + prefix: "semgrep" + include: "scope" \ No newline at end of file diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index 14059eac..fb4e6d14 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -27,7 +27,7 @@ runs: steps: - name: SAST Scan - uses: docker://returntocorp/semgrep:1.86.0 + uses: returntocorp/semgrep id: semgrep continue-on-error: true with: From d45e3a9fefd5109d838a8f276ef0b225dcdc46f2 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 03:34:36 +0530 Subject: [PATCH 3/9] syntax fix --- .github/workflows/semgrep.yml | 1 - security-actions/semgrep/action.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 611dc08e..4655e8f6 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -24,7 +24,6 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@v4 - uses: actions/checkout@v4 with: repository: ${{env.TEST_REPOSITORY}} diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index fb4e6d14..8c972be1 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -27,7 +27,7 @@ runs: steps: - name: SAST Scan - uses: returntocorp/semgrep + uses: returntocorp/semgrep:latest id: semgrep continue-on-error: true with: From fc5f01b818f4cc5391150cecfc27d1d48b55be40 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 03:35:33 +0530 Subject: [PATCH 4/9] syntax fix --- .github/workflows/semgrep.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 4655e8f6..611dc08e 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -24,6 +24,7 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: + - uses: actions/checkout@v4 - uses: actions/checkout@v4 with: repository: ${{env.TEST_REPOSITORY}} From 54cea63f69faa286f1360c5b242da41a818b3ef0 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 03:37:28 +0530 Subject: [PATCH 5/9] syntax fix --- security-actions/semgrep/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index 8c972be1..a1ece931 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -27,7 +27,7 @@ runs: steps: - name: SAST Scan - uses: returntocorp/semgrep:latest + uses: docker://returntocorp/semgrep id: semgrep continue-on-error: true with: From 2cedc4a7849fba30473877c03e4ab57e5714421e Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 03:45:41 +0530 Subject: [PATCH 6/9] syntax fix --- security-actions/semgrep/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index a1ece931..0dfd4e55 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -27,7 +27,7 @@ runs: steps: - name: SAST Scan - uses: docker://returntocorp/semgrep + uses: returntocorp/semgrep:1.86.0 id: semgrep continue-on-error: true with: From 2956d15a7546bdd13f01e1f861b6044302b0cfc3 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 04:04:12 +0530 Subject: [PATCH 7/9] test --- security-actions/semgrep/action.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index 0dfd4e55..6fdd638c 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -24,15 +24,17 @@ inputs: - 'false' runs: using: 'composite' + container: + # Use the official Semgrep Docker image + image: semgrep/semgrep + steps: - name: SAST Scan - uses: returntocorp/semgrep:1.86.0 id: semgrep + run: semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --no-autofix ${{ inputs.additional_config }} continue-on-error: true - with: - args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --no-autofix ${{ inputs.additional_config }}" - + # Upload grype cve reports - name: Upload Semgrep SARIF to Workflow if: always() From 31915295dc0e17006de4f423b578017a7f33427c Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 04:05:19 +0530 Subject: [PATCH 8/9] test --- security-actions/semgrep/action.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index 6fdd638c..8f9695f3 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -24,16 +24,14 @@ inputs: - 'false' runs: using: 'composite' - container: - # Use the official Semgrep Docker image - image: semgrep/semgrep - steps: - name: SAST Scan + uses: docker://returntocorp/semgrep:1.86.0 id: semgrep - run: semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --no-autofix ${{ inputs.additional_config }} continue-on-error: true + with: + args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --no-autofix ${{ inputs.additional_config }}" # Upload grype cve reports - name: Upload Semgrep SARIF to Workflow From 6374e9c4f095db2d58734fd812728544d4ea4abf Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 6 Sep 2024 04:17:26 +0530 Subject: [PATCH 9/9] removed the semgrep package-ecosystem --- .github/dependabot.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 690a2adc..681e93ba 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -72,12 +72,4 @@ updates: interval: "daily" commit-message: prefix: "github-actions" - include: "scope" - - - package-ecosystem: docker - directory: "/security-actions/semgrep" - schedule: - interval: "daily" - commit-message: - prefix: "semgrep" include: "scope" \ No newline at end of file