From 95e92d190a8f38ec5a98f8a91c2aec5b95887d38 Mon Sep 17 00:00:00 2001 From: Sviataslau Dauhuchyts Date: Thu, 22 Aug 2024 12:19:36 +0300 Subject: [PATCH] Add SAST scan --- .github/workflows/sast.yaml | 58 +++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/sast.yaml diff --git a/.github/workflows/sast.yaml b/.github/workflows/sast.yaml new file mode 100644 index 0000000..1e29f13 --- /dev/null +++ b/.github/workflows/sast.yaml @@ -0,0 +1,58 @@ +name: Semgrep SAST + +on: + pull_request: + branches: + - develop + - staging + - production + - stable + - main + - master + +env: + # Fail workflow or not if vulnerabilities found + FAIL_ON_VULNERABILITIES: true + # List of paths (space separated) to ignore + # Supports PATTERNS + # EXCLUDE_PATHS: 'foo bar/baz file.txt dir/*.yml' + EXCLUDE_PATHS: '' + # List of rules (space separated) to ignore + # EXCLUDE_RULES: 'generic.secrets.security.detected-aws-account-id.detected-aws-account-id' + # See https://github.com/semgrep/semgrep-rules for rules registry + EXCLUDE_RULES: '' + +jobs: + semgrep: + name: semgrep-oss/scan + runs-on: ubuntu-latest + container: + image: semgrep/semgrep + steps: + - uses: actions/checkout@v4 + - name: Scan + shell: bash + run: | + EXCLUDED_PATHS=() + if [[ ! -z $EXCLUDE_PATHS ]]; then + for path in $EXCLUDE_PATHS; do + EXCLUDED_PATHS+=("--exclude $path") + done + fi + + EXCLUDED_RULES=() + if [[ ! -z $EXCLUDE_RULES ]]; then + for rule in $EXCLUDE_RULES; do + EXCLUDED_RULES+=("--exclude-rule $rule") + done + fi + + if [[ $FAIL_ON_VULNERABILITIES == "true" ]]; then + semgrep scan --config auto ${EXCLUDED_PATHS[@]} ${EXCLUDED_RULES[@]} --error --verbose + elif [[ $FAIL_ON_VULNERABILITIES == "false" ]]; then + semgrep scan --config auto ${EXCLUDED_PATHS[@]} ${EXCLUDED_RULES[@]} --error --verbose || true + else + echo "Bad FAIL_ON_VULNERABILITIES env var value" + exit 1 + fi +