bash version

Author: eloymg

.github/workflows/semgrep.yaml

@@ -33,7 +33,7 @@ jobs:
           ref: ${{ github.repository == 'grafana/security-github-actions' && (github.head_ref || github.ref_name) || '' }}
           sparse-checkout: |
             semgrep/custom-rules.yaml
-            semgrep/format-results.py
+            semgrep/format-results.sh
           path: security-github-actions
       # Run semgrep with: auto rules + org-wide shared rules
       - id: semgrep
@@ -46,7 +46,7 @@ jobs:
             echo "has_findings=true" >> "$GITHUB_OUTPUT"
             {
               echo 'SEMGREP_OUTPUT<<SEMGREP_EOF'
-              python3 security-github-actions/semgrep/format-results.py /tmp/semgrep-results.json
+              bash security-github-actions/semgrep/format-results.sh /tmp/semgrep-results.json
               echo 'SEMGREP_EOF'
             } >> "$GITHUB_ENV"
           fi

semgrep/format-results.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Format semgrep JSON results into a GitHub-flavored markdown comment.
+set -euo pipefail
+
+INPUT_FILE="$1"
+
+RESULTS_COUNT=$(jq '.results | length' "$INPUT_FILE")
+
+if [ "$RESULTS_COUNT" -eq 0 ]; then
+  exit 0
+fi
+
+echo "## Semgrep Findings"
+echo ""
+echo "**${RESULTS_COUNT}** finding(s) detected."
+echo ""
+echo "| Severity | Rule | File | Message |"
+echo "|----------|------|------|---------|"
+
+jq -r '.results[] | {
+  sev: .extra.severity,
+  rule: (.check_id | split(".")[-1]),
+  path: .path,
+  line: .start.line,
+  msg: (.extra.message | gsub("\n"; " ") | ltrimstr(" ") | rtrimstr(" "))
+} | {
+  icon: (if .sev == "ERROR" then "🔴"
+         elif .sev == "WARNING" then "🟡"
+         elif .sev == "INFO" then "🔵"
+         else "⚪" end),
+  sev: .sev,
+  rule: .rule,
+  path: .path,
+  line: .line,
+  msg: .msg
+} | "| \(.icon) \(.sev) | `\(.rule)` | `\(.path):\(.line)` | \(.msg) |"' "$INPUT_FILE"