From 9975ca1db2246da94f3b622e90ecf81b1a57cc1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9Cswati31196=E2=80=9D?= Date: Tue, 11 Jan 2022 17:00:41 +0530 Subject: [PATCH 1/8] Semgrep Integration --- .github/workflows/security.yml | 52 ++++++++++++++++++++++++++++++++++ .semgrepignore | 1 + 2 files changed, 53 insertions(+) create mode 100644 .github/workflows/security.yml create mode 100644 .semgrepignore diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..4759edf --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,52 @@ +name: SecurityChecks +on: + pull_request: {} + push: + branches: ["master"] + schedule: + - cron: '30 20 * * *' +jobs: + semgrep: + name: Scan + runs-on: [ubuntu-latest] + steps: + - uses: actions/checkout@v2 + - uses: returntocorp/semgrep-action@v1 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: 339 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + workflow_status: + runs-on: [ ubuntu-latest ] + name: Update Status Check + needs: [ semgrep ] + if: always() + env: + githubCommit: ${{ github.event.pull_request.head.sha }} + steps: + - name: Set github commit id + run: | + if [ "${{ github.event_name }}" = "push" ]; then + echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV + fi + exit 0 + - name: Failed + id: failed + if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') + run: | + echo 'Failing the workflow for github security status check.' + curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ + -d '{ "state" : "failure" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ + https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} + exit 1 + - name: Success + if: steps.failed.conclusion == 'skipped' + run: | + echo 'Status check has passed!' + curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ + -d '{ "state" : "success" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ + https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} + exit 0 + \ No newline at end of file diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000..d9a04ee --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ +.github/workflows/security.yml From f2c6933db4d407fe11eea60ae132713cea2efb80 Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 11:03:50 +0530 Subject: [PATCH 2/8] Update .semgrepignore --- .semgrepignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.semgrepignore b/.semgrepignore index d9a04ee..d403cfc 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1 +1 @@ -.github/workflows/security.yml +.github/workflows/ From 622a63782cb87b23dc9c4ca25211e4e9680a1b6f Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 12:12:57 +0530 Subject: [PATCH 3/8] Update security.yml --- .github/workflows/security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 4759edf..a83eff6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -28,13 +28,13 @@ jobs: steps: - name: Set github commit id run: | - if [ "${{ github.event_name }}" = "push" ]; then + if [ "${{ github.event_name }}" = "push" ] || "${{ github.event_name }}" = "schedule" ]; then echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV fi exit 0 - name: Failed id: failed - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') + if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/master' run: | echo 'Failing the workflow for github security status check.' curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ @@ -49,4 +49,4 @@ jobs: -d '{ "state" : "success" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} exit 0 - \ No newline at end of file + From 0f1d0d757296688a0d56760b35ff9ba507b53c10 Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 12:14:22 +0530 Subject: [PATCH 4/8] Update security.yml --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index a83eff6..f656252 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -34,7 +34,7 @@ jobs: exit 0 - name: Failed id: failed - if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/master' + if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/semgrep_integration_1641900519' run: | echo 'Failing the workflow for github security status check.' curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ From adbeeadda863c6ab1f4ad942d9f97c271ab23e53 Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 12:14:48 +0530 Subject: [PATCH 5/8] Update .semgrepignore --- .semgrepignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.semgrepignore b/.semgrepignore index d403cfc..e660fd9 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1 +1 @@ -.github/workflows/ +bin/ From a5a0c49750f077e1f93803200935f9595c055b81 Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 12:19:21 +0530 Subject: [PATCH 6/8] Update security.yml --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f656252..a83eff6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -34,7 +34,7 @@ jobs: exit 0 - name: Failed id: failed - if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/semgrep_integration_1641900519' + if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/master' run: | echo 'Failing the workflow for github security status check.' curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ From fdfa073e50a237826e72186c380d24f7402c58ef Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 12:21:04 +0530 Subject: [PATCH 7/8] Update .semgrepignore --- .semgrepignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.semgrepignore b/.semgrepignore index e660fd9..d403cfc 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1 +1 @@ -bin/ +.github/workflows/ From 9302f3beb6105c81b8696638322d4246a16d3a04 Mon Sep 17 00:00:00 2001 From: javeeth Date: Wed, 12 Jan 2022 12:34:42 +0530 Subject: [PATCH 8/8] Update security.yml --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index a83eff6..0ef0530 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -42,7 +42,7 @@ jobs: https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} exit 1 - name: Success - if: steps.failed.conclusion == 'skipped' + if: steps.failed.conclusion == 'skipped' || github.ref != 'refs/heads/master' run: | echo 'Status check has passed!' curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \