From 146e4fd87b2eec42b6cec6aa92d7643518e4425e Mon Sep 17 00:00:00 2001 From: akashkumarmg Date: Tue, 11 Nov 2025 15:45:46 +0530 Subject: [PATCH 1/2] Update semgrep.yml updating the semgrep workflow with PR commenting feature --- .github/workflows/semgrep.yml | 65 +++++++++++++++++++++++++---------- 1 file changed, 47 insertions(+), 18 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index bce5fc8e..bb2b9b81 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,35 +1,64 @@ -name: Semgrep +name: Semgrep Scan -# Run workflow each time code is pushed to your repository. on: - push: - branches: - - main pull_request: branches: - - main + - v2 + jobs: build: runs-on: ubuntu-latest + permissions: + pull-requests: write # Give write permission to PRs + issues: write steps: - name: Checkout code uses: actions/checkout@v3 - - name: Install Semgrep - run: pip install semgrep + - name: Install Semgrep and jq + run: | + sudo apt install python3-venv jq + python3 -m venv .venv + .venv/bin/pip install semgrep - name: Run Semgrep run: | - semgrep --config .semgreprules/customRule.yml --config auto --severity ERROR --sarif . > results.sarif + source .venv/bin/activate + semgrep --config auto --severity ERROR --json-output=results.json --no-error + cat results.json | jq .results > pretty-results.json - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + - name: Display Raw Semgrep JSON Output + run: | + echo "Displaying raw Semgrep results..." + cat pretty-results.json + + - name: Add comment on PR if findings are found + uses: actions/github-script@v6 with: - # Path to SARIF file relative to the root of the repository - sarif_file: results.sarif + script: | + // Ensure the context has a pull_request + if (context.payload.pull_request) { + const prNumber = context.payload.pull_request.number; + const fs = require('fs'); + const results = JSON.parse(fs.readFileSync('pretty-results.json', 'utf8')); + const highFindings = results.filter(result => result.extra && result.extra.severity === 'ERROR'); - - name: Upload results - uses: actions/upload-artifact@v4 - with: - name: semgrep-results - path: results.sarif + // Comment if findings exist + if (highFindings.length > 0) { + const comment = `**Semgrep Findings:** Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.`; + await github.rest.issues.createComment({ + ...context.repo, + issue_number: prNumber, + body: comment + }); + } else { + const noIssuesComment = "**Semgrep findings:** No issues found, Good to merge."; + await github.rest.issues.createComment({ + ...context.repo, + issue_number: prNumber, + body: noIssuesComment + }); + } + } else { + console.log("This workflow wasn't triggered by a pull request, so no comment will be added."); + } From 281847a887147d72c88ae0f208137cc35f415b05 Mon Sep 17 00:00:00 2001 From: akashkumarmg Date: Tue, 11 Nov 2025 15:51:44 +0530 Subject: [PATCH 2/2] Delete .semgreprules directory Deleting the semgrep custom rule as it is not required in the new workflow. --- .semgreprules/customRule.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 .semgreprules/customRule.yml diff --git a/.semgreprules/customRule.yml b/.semgreprules/customRule.yml deleted file mode 100644 index b275e280..00000000 --- a/.semgreprules/customRule.yml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: check-sensitive-info - message: >- - Potential sensitive information found: $1 - severity: ERROR - languages: - - yaml - - go - - javascript - - java - - python - - golang - - docker - patterns: - - pattern-regex: (?i)\b(api[_-]key|api[_-]token|api[_-]secret[_-]key|api[_-]password|token|secret[_-]key|password|auth[_-]key|auth[_-]token|AUTH_PASSWORD)\s*[:=]\s*(['"]?)((?!YOUR_EXCLUSION_PATTERN_HERE)[A-Z]+.*?)\2 - -- id: check-logger-appconfig - message: >- - Potential Logging configuration found: $1 - severity: ERROR - languages: - - yaml - - go - - javascript - - java - - python - - golang - - docker - patterns: - - pattern-regex: log\.Logger\(\).*(appConfig).*