From 5fb560c84ab7246fda6b526b32436f4d7a761ea4 Mon Sep 17 00:00:00 2001 From: jkan2 <5862123+jkan2@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:16:59 -0700 Subject: [PATCH 1/5] add semgrep sarif upload to GHAS --- .github/workflows/semgrep.yml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f76ee3d14b..7b5813f63a 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -16,7 +16,21 @@ jobs: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: image: semgrep/semgrep + if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@v4 - - run: semgrep ci + - uses: actions/checkout@v4 + - name: Checkout semgrep-utilities repo + uses: actions/checkout@v4 + with: + repository: zeta-chain/semgrep-utilities + path: semgrep-utilities + + - run: semgrep ci --json --output semgrep-findings.json + + - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif semgrep-github.sarif + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep-github.sarif From 07504a68c39122a24695c2ac9a11470d5ff95c73 Mon Sep 17 00:00:00 2001 From: jkan2 <5862123+jkan2@users.noreply.github.com> Date: Fri, 27 Sep 2024 10:30:46 -0700 Subject: [PATCH 2/5] added comment to clairfy the usage of the utility script --- .github/workflows/semgrep.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 7b5813f63a..aaffc9c5bd 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -26,8 +26,12 @@ jobs: repository: zeta-chain/semgrep-utilities path: semgrep-utilities + # uses json for semgrep script for transformation in the next step - run: semgrep ci --json --output semgrep-findings.json + # transforms the the output from the above into a GHAS compatible SARIF + # SARIF output by "semgrep --sarif" doesn't integrate well with GHAS dashboard + # Example: the event name uses segmrep rules name/ID, severities are [error, warning, info], tags are a bit confusing) - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif semgrep-github.sarif - name: Upload SARIF file for GitHub Advanced Security Dashboard From 29c5a49332651b8a36ba1bf9289565d14d96b689 Mon Sep 17 00:00:00 2001 From: jkan2 <5862123+jkan2@users.noreply.github.com> Date: Fri, 27 Sep 2024 13:49:23 -0700 Subject: [PATCH 3/5] use ghcr.io instead --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index aaffc9c5bd..c7627c15c4 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -15,7 +15,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep + image: ghcr.io/zetachain/semgrep-semgrep if: (github.actor != 'dependabot[bot]') steps: From 516981362177d0e276096cca122b1b523c76efd6 Mon Sep 17 00:00:00 2001 From: jkan2 <5862123+jkan2@users.noreply.github.com> Date: Fri, 27 Sep 2024 20:01:26 -0700 Subject: [PATCH 4/5] add tag to image --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c7627c15c4..21edb979e8 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -15,7 +15,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: ghcr.io/zetachain/semgrep-semgrep + image: ghcr.io/zetachain/semgrep-semgrep:1.90.0 if: (github.actor != 'dependabot[bot]') steps: From 20fbb9408aec40345f1c5418ad98bde784742d73 Mon Sep 17 00:00:00 2001 From: jkan2 <5862123+jkan2@users.noreply.github.com> Date: Sun, 29 Sep 2024 22:17:02 -0700 Subject: [PATCH 5/5] bad org name --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 21edb979e8..fcffcf7855 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -15,7 +15,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: ghcr.io/zetachain/semgrep-semgrep:1.90.0 + image: ghcr.io/zeta-chain/semgrep-semgrep:1.90.0 if: (github.actor != 'dependabot[bot]') steps: