Conversation
sebasrevuelta
left a comment
sebasrevuelta
left a comment
There was a problem hiding this comment.
Tested GitHub contributors. It works fine. I added a couple of comments that I think should be applied to the other SCMs. Good job @stuartcmehrens
utilities/contributors/README.md
Outdated
| #### GitHub | ||
|
|
||
| ```bash | ||
| semgrep-contributors github [OPTIONS] |
There was a problem hiding this comment.
| semgrep-contributors github [OPTIONS] | |
| semgrep-contributors get-contributors github [OPTIONS] |
There was a problem hiding this comment.
Thanks for catching this -- I found a few more instances and updated accordingly!
utilities/contributors/README.md
Outdated
| - `--api-key TEXT`: GitHub API key (or set `GITHUB_API_KEY` environment variable) | ||
| - `--org-name TEXT`: Name of the GitHub organization (required) | ||
| - `--number-of-days INTEGER`: Number of days to analyze (default: 30) | ||
| - `--output-filename TEXT`: Output JSON file path (optional) |
There was a problem hiding this comment.
| - `--output-filename TEXT`: Output JSON file path (optional) | |
| - `--output-dir TEXT`: Output path (optional) |
There was a problem hiding this comment.
Thanks for catching this -- I found a few more instances and updated accordingly!
Legal RiskThe following dependencies were released under a license that RecommendationWhile merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue. Apache-2.0 MIT |
1 similar comment
Legal RiskThe following dependencies were released under a license that RecommendationWhile merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue. Apache-2.0 MIT |
![semgrep-code2-r2c-cse[bot]](https://avatars.githubusercontent.com/u/114427509?s=60&v=4){kind=small}
|
|
||
| ENV PATH="/app/.venv/bin:$PATH" | ||
|
|
||
| ENTRYPOINT ["semgrep-contributors"] |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
To resolve this comment:
✨ Commit Assistant fix suggestion
| ENTRYPOINT ["semgrep-contributors"] | |
| FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim | |
| WORKDIR /app | |
| ENV UV_COMPILE_BYTECODE=1 | |
| ENV UV_LINK_MODE=copy | |
| COPY pyproject.toml uv.lock /app/ | |
| RUN --mount=type=cache,target=/root/.cache/uv \ | |
| uv sync --locked --no-install-project --no-dev | |
| COPY . /app | |
| RUN --mount=type=cache,target=/root/.cache/uv \ | |
| uv pip install . --no-deps | |
| ENV PATH="/app/.venv/bin:$PATH" | |
| # Create non-root user 'appuser' with UID 1000 | |
| RUN useradd -m -u 1000 appuser && \ | |
| chown -R appuser /app | |
| # Switch to non-root user | |
| USER appuser | |
| ENTRYPOINT ["semgrep-contributors"] |
View step-by-step instructions
- Add a non-root user to your Dockerfile after installing your dependencies but before setting the ENTRYPOINT.
For example, addRUN useradd -m -u 1000 appuserto create a new user namedappuser. - Change the active user by adding
USER appuserbefore theENTRYPOINTline.
For example:RUN useradd -m -u 1000 appuser USER appuser ENTRYPOINT ["semgrep-contributors"] - Make sure any files or directories your app needs write access to are owned or writable by
appuser.
You can use a command likeRUN chown -R appuser /appif needed.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by missing-user-entrypoint.
You can view more details about this finding in the Semgrep AppSec Platform.
Legal RiskThe following dependencies were released under a license that RecommendationWhile merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue. Apache-2.0 MIT |
1 similar comment
Legal RiskThe following dependencies were released under a license that RecommendationWhile merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue. Apache-2.0 MIT |
2 participants
We have a lot of contributor scripts floating around. This PR merges them all into a CLI utility that should be easier to maintain and improve upon moving forward.