This repository was archived by the owner on Apr 7, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
174 lines (152 loc) · 5.38 KB
/
semgrep.yml
File metadata and controls
174 lines (152 loc) · 5.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
name: Semgrep SAST
on:
pull_request:
branches: [main, master]
schedule:
- cron: '0 4 * * *'
workflow_dispatch:
inputs:
reason:
description: "Reason for manual run"
required: false
default: "Manual security scan"
jobs:
semgrep:
name: Static analysis
runs-on: ubuntu-latest
container:
image: semgrep/semgrep
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
run: |
semgrep scan --config auto --error --json --output semgrep-results.json || true
semgrep scan --config auto --error --sarif --output semgrep-results.sarif || true
# - name: Upload SARIF to GitHub
# if: always()
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: semgrep-results.sarif
- name: Wrap results with repo metadata and send
if: always()
run: |
# Build a wrapper with repo/org info + semgrep results
# jq may not be in semgrep image, so use python which is guaranteed
python3 -c "
import json, os
# GitHub context
repo_full = os.environ.get('GITHUB_REPOSITORY', 'unknown/unknown') # e.g. mapup/tollguru-api
parts = repo_full.split('/', 1)
org = parts[0] if len(parts) > 1 else 'unknown'
repo = parts[1] if len(parts) > 1 else repo_full
ref = os.environ.get('GITHUB_REF', 'unknown')
sha = os.environ.get('GITHUB_SHA', 'unknown')
actor = os.environ.get('GITHUB_ACTOR', 'unknown')
event = os.environ.get('GITHUB_EVENT_NAME', 'unknown')
run_id = os.environ.get('GITHUB_RUN_ID', 'unknown')
server = os.environ.get('GITHUB_SERVER_URL', 'https://github.com')
# Load semgrep results
try:
with open('semgrep-results.json', 'r') as f:
semgrep = json.load(f)
except Exception:
semgrep = {'results': [], 'errors': [], 'version': 'unknown'}
# Wrap payload
payload = {
'tool': 'semgrep',
'org': org,
'repo': repo,
'ref': ref,
'sha': sha,
'actor': actor,
'event': event,
'run_id': run_id,
'repo_url': f'{server}/{repo_full}',
'results': semgrep.get('results', []),
'errors': semgrep.get('errors', []),
'version': semgrep.get('version', 'unknown')
}
with open('semgrep-payload.json', 'w') as f:
json.dump(payload, f)
print(f'✅ Wrapped {len(payload[\"results\"])} findings for {org}/{repo}')
"
curl -X POST "${{ secrets.SAST_WEBHOOK_URL }}?branch=${{ github.head_ref || github.ref_name }}&&repo=${{ github.event.repository.name }}" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${{ secrets.SAST_WEBHOOK_TOKEN }}" \
-d @semgrep-payload.json
# name: Semgrep SAST
# on:
# pull_request:
# branches: [main, master]
# schedule:
# - cron: '0 4 * * 1'
# workflow_dispatch: # Enables manual run
# inputs:
# reason:
# description: "Reason for manual run"
# required: false
# default: "Manual security scan"
# jobs:
# semgrep:
# name: Static analysis
# runs-on: ubuntu-latest
# container:
# image: semgrep/semgrep
# steps:
# - uses: actions/checkout@v4
# - name: Run Semgrep
# run: |
# semgrep scan --config auto --error --json --output semgrep-results.json || true
# semgrep scan --config auto --error --sarif --output semgrep-results.sarif || true
# # - name: Upload SARIF to GitHub
# # if: always()
# # uses: github/codeql-action/upload-sarif@v3
# # with:
# # sarif_file: semgrep-results.sarif
# - name: Send JSON to endpoint
# if: always()
# run: |
# curl -X POST "${{ secrets.SAST_WEBHOOK_URL }}" \
# -H "Content-Type: application/json" \
# -H "Authorization: Bearer ${{ secrets.SAST_WEBHOOK_TOKEN }}" \
# -d @semgrep-results.json
# # name: Semgrep SAST
# # on:
# # pull_request:
# # branches: [main, master]
# # schedule:
# # - cron: '0 4 * * 1'
# # workflow_dispatch:
# # jobs:
# # semgrep:
# # name: Static analysis
# # runs-on: ubuntu-latest
# # container:
# # image: semgrep/semgrep
# # steps:
# # - uses: actions/checkout@v4
# # - name: Run Semgrep
# # run: semgrep scan --config auto --error --json --output semgrep-results.json || true
# # - name: Send results to endpoint
# # if: always()
# # run: |
# # curl -X POST "${{ secrets.SAST_WEBHOOK_URL }}" \
# # -H "Content-Type: application/json" \
# # -H "Authorization: Bearer ${{ secrets.SAST_WEBHOOK_TOKEN }}" \
# # -d @semgrep-results.json
# # name: Semgrep SAST
# # on:
# # pull_request:
# # branches: [main, master]
# # schedule:
# # - cron: '0 4 * * 1' # Weekly Monday 4am UTC
# # workflow_dispatch: # Allow manual trigger
# # jobs:
# # semgrep:
# # name: Static analysis
# # runs-on: ubuntu-latest
# # container:
# # image: semgrep/semgrep
# # steps:
# # - uses: actions/checkout@v4
# # - run: semgrep scan --config auto --error --quiet