From 03435b4abc973a36eafa9114f6d73ae39c0e41a3 Mon Sep 17 00:00:00 2001 From: jkan2 Date: Mon, 30 Sep 2024 01:57:04 -0700 Subject: [PATCH] ci: Add SARIF upload to GitHub Security Dashboard (#2929) * add semgrep sarif upload to GHAS * added comment to clairfy the usage of the utility script * use ghcr.io instead * add tag to image * bad org name --------- Co-authored-by: jkan2 <5862123+jkan2@users.noreply.github.com> --- .github/workflows/semgrep.yml | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f76ee3d14b..fcffcf7855 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -15,8 +15,26 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep + image: ghcr.io/zeta-chain/semgrep-semgrep:1.90.0 + if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@v4 - - run: semgrep ci + - uses: actions/checkout@v4 + - name: Checkout semgrep-utilities repo + uses: actions/checkout@v4 + with: + repository: zeta-chain/semgrep-utilities + path: semgrep-utilities + + # uses json for semgrep script for transformation in the next step + - run: semgrep ci --json --output semgrep-findings.json + + # transforms the the output from the above into a GHAS compatible SARIF + # SARIF output by "semgrep --sarif" doesn't integrate well with GHAS dashboard + # Example: the event name uses segmrep rules name/ID, severities are [error, warning, info], tags are a bit confusing) + - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif semgrep-github.sarif + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep-github.sarif