Update CI and Semgrep workflows for improved dependency management #595
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SEMGREP_APP_TOKEN: Semgrep AppSec Platform > Settings (or help@finos.org for FINOS repos). | |
| # SARIF upload needs repo Settings → Actions → Workflow permissions to allow security events. | |
| name: Semgrep | |
| on: | |
| pull_request: {} | |
| workflow_dispatch: {} | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| semgrep: | |
| name: semgrep/ci | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| # Keep job on host and run Semgrep via docker run. This ensures SARIF is | |
| # written to the host workspace, where upload-sarif can access it. | |
| if: github.actor != 'dependabot[bot]' | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| - name: Semgrep CI (Docker) | |
| run: | | |
| mkdir -p reports | |
| if [ -n "${SEMGREP_APP_TOKEN:-}" ]; then | |
| echo "Running semgrep ci with Semgrep AppSec Platform token" | |
| docker run --rm \ | |
| -e SEMGREP_APP_TOKEN \ | |
| -v "$PWD:/src" \ | |
| -w /src \ | |
| semgrep/semgrep@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48 \ | |
| semgrep ci --sarif --sarif-output=reports/semgrep.sarif --no-suppress-errors | |
| else | |
| echo "SEMGREP_APP_TOKEN not set; running semgrep scan with p/ci rules" | |
| docker run --rm \ | |
| -v "$PWD:/src" \ | |
| -w /src \ | |
| semgrep/semgrep@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48 \ | |
| semgrep scan --config p/ci --sarif --sarif-output=reports/semgrep.sarif --error | |
| fi | |
| env: | |
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
| # failure() alone is unsafe: any earlier step failure (checkout, semgrep, …) still | |
| # triggers upload-sarif, but semgrep.sarif was never written. | |
| - name: Check SARIF output | |
| id: sarif | |
| if: always() | |
| run: | | |
| f="reports/semgrep.sarif" | |
| if [ -f "$f" ] && [ -s "$f" ]; then | |
| echo "ok=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "ok=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Debug SARIF and upload context | |
| if: always() | |
| run: | | |
| set -euo pipefail | |
| f="reports/semgrep.sarif" | |
| echo "event=${{ github.event_name }}" | |
| echo "repo=${{ github.repository }}" | |
| echo "head_repo=${{ github.event.pull_request.head.repo.full_name || '' }}" | |
| if [ -f "$f" ]; then | |
| echo "sarif_exists=true" | |
| ls -l "$f" | |
| wc -c "$f" | |
| python -c "import json; d=json.load(open('reports/semgrep.sarif','r',encoding='utf-8')); print(f\"sarif_runs={len(d.get('runs', []))}\"); print(f\"sarif_version={d.get('version')}\")" | |
| else | |
| echo "sarif_exists=false" | |
| fi | |
| - name: Upload SARIF artifact (debug) | |
| if: always() && steps.sarif.outputs.ok == 'true' | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a | |
| with: | |
| name: semgrep-sarif | |
| path: reports/semgrep.sarif | |
| - name: Upload SARIF file for GitHub Advanced Security Dashboard | |
| uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #v4.35.2 | |
| if: | | |
| steps.sarif.outputs.ok == 'true' && | |
| (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) | |
| with: | |
| sarif_file: reports/semgrep.sarif |