From e05dc8fea5b6cc16719b07676a4fd53c773799b7 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:21:20 +0000 Subject: [PATCH 1/7] Initial version of semgrep diff --- .github/workflows/semgrep_diff.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/semgrep_diff.yml diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml new file mode 100644 index 0000000000..9053e5beb0 --- /dev/null +++ b/.github/workflows/semgrep_diff.yml @@ -0,0 +1,29 @@ +--- +name: Semgrep Differential Scan +on: + pull_request + +jobs: + + semgrep-diff: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + + steps: + + # step 1 + - name: clone application source code + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + + with: + fetch-depth: 0 + + # step 2 + - name: differential scan + run: | + semgrep scan \ + --error \ + --metrics=off \ + --baseline-commit $ \ + --config="p/trailofbits" From 88d9890ddc1782d935acd85ab1ef413d23ab3df2 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:26:44 +0000 Subject: [PATCH 2/7] Update semgrep_diff.yml --- .github/workflows/semgrep_diff.yml | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml index 9053e5beb0..7c7e458415 100644 --- a/.github/workflows/semgrep_diff.yml +++ b/.github/workflows/semgrep_diff.yml @@ -1,29 +1,25 @@ --- name: Semgrep Differential Scan on: - pull_request + pull_request: jobs: - semgrep-diff: runs-on: ubuntu-latest container: image: returntocorp/semgrep steps: - - # step 1 - - name: clone application source code - - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - + # Step 1: Clone application source code + - name: Checkout code + uses: actions/checkout@v3.1.0 with: fetch-depth: 0 - # step 2 - - name: differential scan + # Step 2: Differential scan + - name: Differential scan run: | - semgrep scan \ + semgrep scan --config="p/trailofbits" \ --error \ - --metrics=off \ - --baseline-commit $ \ - --config="p/trailofbits" + -- metrics=off \ + --baseline-commit ${{ github.event.before }} From 20325e690ebe4deba3448bcef5aa9df68110e9d7 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:34:02 +0000 Subject: [PATCH 3/7] reformat params --- .github/workflows/semgrep_diff.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml index 7c7e458415..6b43b84791 100644 --- a/.github/workflows/semgrep_diff.yml +++ b/.github/workflows/semgrep_diff.yml @@ -19,7 +19,5 @@ jobs: # Step 2: Differential scan - name: Differential scan run: | - semgrep scan --config="p/trailofbits" \ - --error \ - -- metrics=off \ + semgrep scan --error --metrics=off --config="p/trailofbits" \ --baseline-commit ${{ github.event.before }} From 07aac162512181033551e785ed640181961bf2f4 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:56:02 +0000 Subject: [PATCH 4/7] Pin checkout action to sha --- .github/workflows/semgrep_diff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml index 6b43b84791..e0dfdcd9f0 100644 --- a/.github/workflows/semgrep_diff.yml +++ b/.github/workflows/semgrep_diff.yml @@ -12,7 +12,7 @@ jobs: steps: # Step 1: Clone application source code - name: Checkout code - uses: actions/checkout@v3.1.0 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: fetch-depth: 0 From cc10e35ab7cf8ece2f4bf0b5ec4aa7f5abf8ce7a Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:59:33 +0000 Subject: [PATCH 5/7] Dummy - To Test Semgrep --- .../AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml index 99907e2888..5d0732bfc9 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml @@ -17,7 +17,7 @@ name: epel-release state: installed update_cache: yes - validate_certs: true + validate_certs: false when: ansible_distribution_major_version != "8" tags: patch_update From 7094c3e1693789ea4aba1b8718126f519c398363 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 1 Mar 2024 11:11:55 +0000 Subject: [PATCH 6/7] Testing SEMGREP --- .../AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml index 5d0732bfc9..99907e2888 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml @@ -17,7 +17,7 @@ name: epel-release state: installed update_cache: yes - validate_certs: false + validate_certs: true when: ansible_distribution_major_version != "8" tags: patch_update From a562e19476ddaf4daa11eff7afd3079f46187f66 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Mon, 4 Mar 2024 09:40:23 +0000 Subject: [PATCH 7/7] Ignore Nagios Example j2 templates --- .semgrepignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .semgrepignore diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000000..09f86810a2 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,2 @@ +# Ignore The Nagios Configuration J2 templates, as they are only examples. +./ansible/playbooks/nagios/roles/Nagios_Config/files/templates/*.j2