Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[actions] Support Semgrep by Github Actions #2417

Merged
merged 2 commits into from
Oct 3, 2022
Merged

[actions] Support Semgrep by Github Actions #2417

merged 2 commits into from
Oct 3, 2022

Conversation

maipbui
Copy link
Contributor

@maipbui maipbui commented Sep 30, 2022

Signed-off-by: maipbui maibui@microsoft.com

Why I did it

Semgrep is a static analysis tool to find security vulnerabilities.
When opening a PR or commtting to PR, Semgrep performs a diff-aware scanning, which scans changed files in PRs.
When merging PR, Semgrep performs a full scan on master branch and report all findings.

Ref: - Supported Language - Semgrep Rules

How I did it

Integrate Semgrep into this repository by committing a job configuration file

How to verify it

PR: maipbui/sonic-buildimage#2
Master branch full scan findings: Master branch findings results
PR maipbui/sonic-buildimage#2 scan findings: Pull request findings results

Previous command output (if the output of a command-line utility has changed)

New command output (if the output of a command-line utility has changed)

@maipbui
[actions] Support Semgrep by Github Actions
19dfd08 
Signed-off-by: maipbui <maibui@microsoft.com>
qiluo-msft
qiluo-msft reviewed Sep 30, 2022
View reviewed changes
.github/workflows/semgrep.yml Outdated
on:
pull_request: {}
push:
branches: ["master"]
Copy link
Contributor

@qiluo-msft qiluo-msft Sep 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to specify master and all release branches [0-9]* ? #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. This should be backported to older branches.

qiluo-msft
qiluo-msft reviewed Sep 30, 2022
View reviewed changes
.github/workflows/semgrep.yml
jobs:
semgrep:
name: Semgrep
runs-on: ubuntu-latest
Copy link
Contributor

@qiluo-msft qiluo-msft Sep 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to run on debian-latest? #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Github-hosted runners do not include debian-latest.

@maipbui
add release branches
115cee3 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui maipbui merged commit 4b2b766 into sonic-net:master Oct 3, 2022
@maipbui maipbui deleted the bui/semgrep branch October 3, 2022 18:42
yxieca pushed a commit that referenced this pull request Oct 3, 2022
@maipbui @yxieca
[actions] Support Semgrep by Github Actions (#2417)
99425a8 
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
[Semgrep](https://github.com/returntocorp/semgrep) is a static analysis tool to find security vulnerabilities.
When opening a PR or commtting to PR, Semgrep performs a diff-aware scanning, which scans changed files in PRs.
When merging PR, Semgrep performs a full scan on master branch and report all findings.
Ref: - [Supported Language](https://semgrep.dev/docs/supported-languages/#language-maturity) - [Semgrep Rules](https://registry.semgrep.dev/rule)
#### How I did it
Integrate Semgrep into this repository by committing a job configuration file
#### How to verify it
PR: maipbui/sonic-buildimage#2
Master branch full scan findings: [Master branch findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160181876/jobs/5144332404)
PR maipbui/sonic-buildimage#2 scan findings: [Pull request findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160193505/jobs/5144357859)
EdenGri pushed a commit to EdenGri/sonic-utilities that referenced this pull request Oct 12, 2022
@maipbui @EdenGri
[actions] Support Semgrep by Github Actions (sonic-net#2417)
bdecdf8 
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
[Semgrep](https://github.com/returntocorp/semgrep) is a static analysis tool to find security vulnerabilities.
When opening a PR or commtting to PR, Semgrep performs a diff-aware scanning, which scans changed files in PRs.
When merging PR, Semgrep performs a full scan on master branch and report all findings.
Ref: - [Supported Language](https://semgrep.dev/docs/supported-languages/#language-maturity) - [Semgrep Rules](https://registry.semgrep.dev/rule)
#### How I did it
Integrate Semgrep into this repository by committing a job configuration file
#### How to verify it
PR: maipbui/sonic-buildimage#2
Master branch full scan findings: [Master branch findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160181876/jobs/5144332404)
PR maipbui/sonic-buildimage#2 scan findings: [Pull request findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160193505/jobs/5144357859)
mdanish-kh pushed a commit to hamnarauf/sonic-utilities that referenced this pull request Oct 22, 2022
@maipbui @mdanish-kh
[actions] Support Semgrep by Github Actions (sonic-net#2417)
5b9fe8d 
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
[Semgrep](https://github.com/returntocorp/semgrep) is a static analysis tool to find security vulnerabilities.
When opening a PR or commtting to PR, Semgrep performs a diff-aware scanning, which scans changed files in PRs.
When merging PR, Semgrep performs a full scan on master branch and report all findings.
Ref: - [Supported Language](https://semgrep.dev/docs/supported-languages/#language-maturity) - [Semgrep Rules](https://registry.semgrep.dev/rule)
#### How I did it
Integrate Semgrep into this repository by committing a job configuration file
#### How to verify it
PR: maipbui/sonic-buildimage#2
Master branch full scan findings: [Master branch findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160181876/jobs/5144332404)
PR maipbui/sonic-buildimage#2 scan findings: [Pull request findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160193505/jobs/5144357859)
preetham-singh pushed a commit to preetham-singh/sonic-utilities that referenced this pull request Nov 21, 2022
@maipbui @preetham-singh
[actions] Support Semgrep by Github Actions (sonic-net#2417)
6e93acb 
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
[Semgrep](https://github.com/returntocorp/semgrep) is a static analysis tool to find security vulnerabilities.
When opening a PR or commtting to PR, Semgrep performs a diff-aware scanning, which scans changed files in PRs.
When merging PR, Semgrep performs a full scan on master branch and report all findings.
Ref: - [Supported Language](https://semgrep.dev/docs/supported-languages/#language-maturity) - [Semgrep Rules](https://registry.semgrep.dev/rule)
#### How I did it
Integrate Semgrep into this repository by committing a job configuration file
#### How to verify it
PR: maipbui/sonic-buildimage#2
Master branch full scan findings: [Master branch findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160181876/jobs/5144332404)
PR maipbui/sonic-buildimage#2 scan findings: [Pull request findings results](https://github.com/maipbui/sonic-buildimage/actions/runs/3160193505/jobs/5144357859)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

Assignees
No one assigned
Labels
Included in 202205 Branch Request for 202205 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maipbui @qiluo-msft @yxieca