Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Add SARIF upload to GitHub Security Dashboard #2929

Merged
merged 6 commits into from
Sep 30, 2024

Conversation

jkan2
Copy link
Contributor

@jkan2 jkan2 commented Sep 27, 2024

Description

Since the findings are located in the semgrep UI, this will allow it to be uploaded to the security dashboard (under code scanning in the security tab). The python script is from semgrep themselves and it transforms the original sarif from semgrep to a more useable readable format in GHAS.

Also changed the image pull to be in ghcr instead of docker hub to prevent pull rate limiting and potential docker hub outages

How Has This Been Tested?

  • Tested CCTX in localnet
  • Tested in development environment
  • Go unit tests
  • Go integration tests
  • Tested via GitHub Actions

Summary by CodeRabbit

  • New Features

    • Enhanced GitHub Actions workflow for improved security scanning.
    • Added JSON output for Semgrep findings.
    • Introduced conversion of findings to SARIF format for better integration with GitHub Advanced Security Dashboard.
  • Chores

    • Updated workflow steps for better organization and clarity.

Copy link
Contributor

coderabbitai bot commented Sep 27, 2024

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough
📝 Walkthrough
📝 Walkthrough
📝 Walkthrough
📝 Walkthrough
📝 Walkthrough

Walkthrough

The changes in the pull request enhance the GitHub Actions workflow for Semgrep by adding a checkout step for the semgrep-utilities repository. This allows the workflow to utilize a Python script for converting Semgrep's JSON output into SARIF format. The SARIF file is subsequently uploaded to the GitHub Advanced Security Dashboard. The job's conditional execution remains unchanged, still excluding runs triggered by the dependabot[bot].

Changes

File Path Change Summary
.github/workflows/semgrep.yml Added a checkout step for semgrep-utilities, updated semgrep ci command for JSON output, added a step to convert JSON to SARIF, and included a step to upload the SARIF file to GitHub Advanced Security.

Possibly related PRs

  • ci: Add Semgrep to CI #2912: The changes in both PRs involve modifications to the .github/workflows/semgrep.yml file, specifically related to the integration and execution of Semgrep within GitHub Actions workflows.

Suggested reviewers

  • CharlieMc0
  • lumtis
  • gartnera

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot added the ci Changes to CI pipeline or github actions label Sep 27, 2024
@jkan2 jkan2 added the no-changelog Skip changelog CI check label Sep 27, 2024
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@jkan2 jkan2 marked this pull request as ready for review September 27, 2024 00:38
@jkan2 jkan2 requested a review from a team as a code owner September 27, 2024 00:38
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)
.github/workflows/semgrep.yml (1)

33-36: Correct implementation of SARIF upload to GitHub Security Dashboard.

The addition of the SARIF file upload step is correctly implemented using the official GitHub action. This will effectively integrate the Semgrep findings into the GitHub Advanced Security Dashboard.

For improved clarity and maintainability, consider extracting the SARIF filename into an environment variable. This can be achieved by modifying the workflow as follows:

name: Semgrep
on:
  workflow_dispatch: {}
  pull_request: {}
  push:
    branches:
      - develop
  schedule:
    - cron: '56 22 * * *'
jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-20.04
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+     SARIF_FILE: semgrep-github.sarif
    container:
      image: semgrep/semgrep
    
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@v4    
      - name: Checkout semgrep-utilities repo
        uses: actions/checkout@v4
        with:
          repository: zeta-chain/semgrep-utilities
          path: semgrep-utilities
          
      - run: semgrep ci --json --output semgrep-findings.json 
      
-     - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif semgrep-github.sarif
+     - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif ${{ env.SARIF_FILE }}

      - name: Upload SARIF file for GitHub Advanced Security Dashboard
        uses: github/codeql-action/upload-sarif@v3
        with:
-         sarif_file: semgrep-github.sarif
+         sarif_file: ${{ env.SARIF_FILE }}

This modification enhances readability and reduces the risk of inconsistencies if the filename needs to be changed in the future.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 2892114 and 5fb560c.

📒 Files selected for processing (1)
  • .github/workflows/semgrep.yml (1 hunks)
🔇 Additional comments (2)
.github/workflows/semgrep.yml (2)

19-27: Appropriate implementation of semgrep-utilities checkout.

The addition of the semgrep-utilities repository checkout is correctly implemented. The use of a specific path for the checkout ensures proper isolation of the utilities.


29-29: Correct modification of semgrep ci command for JSON output.

The semgrep ci command has been appropriately updated to generate JSON output, which is essential for the subsequent SARIF conversion process.

.github/workflows/semgrep.yml Show resolved Hide resolved
.github/workflows/semgrep.yml Show resolved Hide resolved
@lumtis lumtis added this pull request to the merge queue Sep 30, 2024
Merged via the queue into develop with commit 03435b4 Sep 30, 2024
35 checks passed
@lumtis lumtis deleted the jkan2/update-semgrep-sarif branch September 30, 2024 09:12
morde08 pushed a commit that referenced this pull request Oct 2, 2024
* add semgrep sarif upload to GHAS

* added comment to clairfy the usage of the utility script

* use ghcr.io instead

* add tag to image

* bad org name

---------

Co-authored-by: jkan2 <[email protected]>
github-merge-queue bot pushed a commit that referenced this pull request Oct 3, 2024
…guration (#2953)

* update artillery config

* more fixes

* feat: integrate authenticated calls smart contract functionality into protocol (#2904)

* e2e tests and modifications for authenticated call

* extend test with sender check and revert case

* separate tests into separate files

* cleanup

* withdraw and call support and tests

* bump protocol contracts

* split tests into separate files

* small cleanup

* fmt

* generate

* lint

* changelog

* PR  comments

* fix case in proto

* bump vote inbound gas limit in zetaclient

* fix test

* generate

* fixing tests

* call options non empty

* generate

* test fix

* rename gateway caller

* pr comments rename tests

* PR comment

* generate

* tests

* update tests fixes

* tests fixes

* fix

* test fix

* feat!: bank precompile (#2860)

* feat: bank precompile

* feat: add deposit

* feat: extend deposit

* PoC: spend amount on behalf of EOA

* feat: expand deposit with transferFrom

* use CallEVM instead on ZRC20 bindings

* divide the contract into different files

* initialize e2e testing

* remove duplicated funding

* add codecov

* expand e2e

* fix: wait for deposit tx to be mined

* apply first round of reviews

* cover al error types test

* fixes using time.Since

* Include CallContract interface

* fix eth events in deposit precompile method

* emit Deposit event

* add withdraw function

* finalize withdraw

* pack event arguments generically

* add high level event function

* first round of review fixes

* second round of reviews

* create bank account when instantiating bank

* e2e: add good and bad scenarios

* modify fmt

* chore: group input into eventData struct

* docs: document bank's methods

* chore: generate files with suffix .gen.go

* chore: assert errors with errorIs

* chore: reset e2e test by resetting allowance

* test: add first batch of unit test

* test: cover all cases

* test: complete unit test cases

* include review suggestions

* include e2e through contract

* test: add e2e through contract complete

* test: revert balance between tests

* Update precompiles/bank/const.go

Co-authored-by: Lucas Bertrand <[email protected]>

* fix: changed coin denom

---------

Co-authored-by: skosito <[email protected]>
Co-authored-by: Lucas Bertrand <[email protected]>

* feat: add sender to revert context (#2919)

* e2e tests and modifications for authenticated call

* extend test with sender check and revert case

* separate tests into separate files

* cleanup

* withdraw and call support and tests

* bump protocol contracts

* split tests into separate files

* small cleanup

* fmt

* generate

* lint

* changelog

* PR  comments

* fix case in proto

* bump vote inbound gas limit in zetaclient

* fix test

* generate

* fixing tests

* call options non empty

* generate

* test fix

* rename gateway caller

* pr comments rename tests

* PR comment

* generate

* tests

* add sender in test contract

* extend e2e tests

* generate

* changelog

* PR comment

* generate

* update tests fixes

* tests fixes

* fix

* test fix

* gas limit fixes

* PR comment fix

* fix bad merge

* ci: add option to enable monitoring stack (#2927)

* ci: add option to enable monitoring stack

* start prometheus faster

* update

* ci: add rpcimportable test (#2817)

* ci: add rpcimportable test

* add ci

* fmt

* use github.com/btcsuite/btcd/btcutil in pkg/chains

* remove app imports types tests

* use standalone sdkconfig package

* fix policies test

* move crosschain keeper tests from types to keeper

* never seal config in tests

* use zeta-chain/ethermint#126

* add some comments

* use merged ethermint hash

* show resulting go.mod

* ci: Add SARIF upload to GitHub Security Dashboard (#2929)

* add semgrep sarif upload to GHAS

* added comment to clairfy the usage of the utility script

* use ghcr.io instead

* add tag to image

* bad org name

---------

Co-authored-by: jkan2 <[email protected]>

* fix: add recover to InitChainer to diplay informative message when starting a node from block 1 (#2925)

* add recover to InitChainer

* generate files

* add docs link to error message

* move InitChainErrorMessage to app.go

* Update app/app.go

Co-authored-by: Francisco de Borja Aranda Castillejo <[email protected]>

* use const for message

---------

Co-authored-by: Francisco de Borja Aranda Castillejo <[email protected]>

* test: add wait for block to tss migration test (#2931)

* add wait for block to tss migration test

* add comments

* refactor identifiers

* rename checkNumberOfTssGenerated to checkNumberOfTSSGenerated

* chore: allow full zetaclient config overlay (#2945)

* test(e2e): add gateway upgrade in upgrade test (#2932)

* add gateway upgrade

* change reference

* add v2 setup for all tests

* test v2 in light upgrade

* refactor setup to use custody v2 directly

* chore: improve localnet build performance (#2928)

* chore: improve localnet build performance

* propagate NODE_VERSION and NODE_COMMIT

* update hashes

---------

Co-authored-by: skosito <[email protected]>
Co-authored-by: Francisco de Borja Aranda Castillejo <[email protected]>
Co-authored-by: Lucas Bertrand <[email protected]>
Co-authored-by: Alex Gartner <[email protected]>
Co-authored-by: jkan2 <[email protected]>
Co-authored-by: jkan2 <[email protected]>
Co-authored-by: Tanmay <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci Changes to CI pipeline or github actions no-changelog Skip changelog CI check
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants