-
Notifications
You must be signed in to change notification settings - Fork 3
95 lines (86 loc) · 4.07 KB
/
code-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Code scanning is something you would want to do to ensure the quality of your codebase.
# Usually, it'll detects security vulnerabilities, code smells, and other issues that might be present in your code.
# To learn more about code scanning, see https://snyk.io/learn/code-review/code-scanning/
name: Code Scan
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
jobs:
# Trufflehog is a tool that scans code for secrets and other sensitive information.
# For configuration with Github Actions, see https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#octocat-trufflehog-github-action
# For more information about Trufflehog, see https://trufflesecurity.com/trufflehog
trufflehog:
name: Trufflehog Secret Scan
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: trufflesecurity/trufflehog@main
with:
extra_args: --debug --only-verified
# Semgrep is a lightweight static analysis tool that can be used to scan code for security vulnerabilities.
# For configuration with Github Actions, see https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions
# For more information about Semgrep, see https://semgrep.dev/
semgrep:
name: Semgrep Code Quality Scan
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: semgrep/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
- uses: actions/checkout@v4
- run: semgrep scan --config auto --oss-only --output=results.txt
- run: cat results.txt
- uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
let results = '';
await exec.exec('cat', ['results.txt'], {
listeners: {
stdout: (data) => {
results += data.toString();
}
}
});
// List previous issue comments
const comments = await github.rest.issues.listComments({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
// If there are any comments created by `github-actions[bot]`
// and have the body containing `semgrep`, we should update
// the comment, instead of creating a new one.
const previousComment = comments.data.find(comment => {
return comment.user.login === 'github-actions[bot]' && comment.body.includes('Semgrep');
});
const updatedDate = new Date().toLocaleString('id-ID', {dateStyle: "long", timeStyle: "long", hour12: false, timeZone: "Asia/Jakarta"});
results = results.trim();
if (results.length > 65200) {
results = results.substring(0, 65200) + '...\n\nWARNING: The results are too long and have been truncated.';
}
if (previousComment) {
await github.rest.issues.updateComment({
comment_id: previousComment.id,
owner: context.repo.owner,
repo: context.repo.repo,
body: `Here are the results of the [Semgrep](https://semgrep.dev/docs/getting-started/quickstart-oss/) scan (last updated: ${updatedDate}):\n\`\`\`\n${results}\n\`\`\``,
});
return;
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `Here are the results of the [Semgrep](https://semgrep.dev/docs/getting-started/quickstart-oss/) scan:\n\`\`\`\n${results}\n\`\`\``,
});