Merge pull request #12 from JuliaImageRecon/semgrep

nHackel · web-flow · commit e1df52fca63f · 2024-11-14T14:46:48.000+01:00
Add Semgrep static analysis
diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
@@ -0,0 +1,66 @@
+# Based on:
+# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#github-actions
+# https://0xdbe.github.io/GitHub-HowToEnableCodeScanningWithSemgrep/
+# https://medium.com/@mostafa.elnakeb/supercharging-your-code-quality-with-semgrep-sast-in-github-actions-c8f30eb26655
+# Name of this GitHub Actions workflow.
+name: Semgrep OSS scan
+
+on:
+  # Scan on-demand through GitHub Actions interface:
+  workflow_dispatch:
+    branches:
+      - main
+  # Schedule the CI job (this method uses cron syntax):
+  schedule:
+    - cron: '0 0 * * 1' # Run at start of week 
+    
+jobs:
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: semgrep-oss/scan
+    # If you are self-hosting, change the following `runs-on` value: 
+    runs-on: ubuntu-latest
+
+    steps:
+        # Checkout the repository.
+      - name: Clone source code
+        uses: actions/checkout@v4
+
+        # Checkout custom rules
+      - name: Checkout custom rules
+        uses: actions/checkout@v4
+        with:
+          repository: JuliaComputing/semgrep-rules-julia
+          ref: main
+          path: ./JuliaRules
+
+        # Prepare Python
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+        # Install Semgrep
+      - name: Install Semgrep
+        run: python3 -m pip install semgrep
+
+        # Run Semgrep
+      - name: Scan with Semgrep
+        run: | 
+            semgrep scan \
+                --config ./JuliaRules/rules \
+                --metrics=off \
+                --sarif --output report.sarif \
+                --oss-only \
+                --exclude=JuliaRules
+    
+      - name: Save Semgrep report
+        uses: actions/upload-artifact@v4
+        with:
+          name: report.sarif
+          path: report.sarif
+      
+      - name: Upload Semgrep report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: report.sarif
+          category: semgrep
