Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set up continuous SAST with Semgrep #218

Merged
merged 2 commits into from
Mar 8, 2023
Merged

Set up continuous SAST with Semgrep #218

merged 2 commits into from
Mar 8, 2023

Conversation

ericcornelissen
Copy link
Owner

Summary

Add a SAST scan with Semgrep.

@ericcornelissen
Set up continuous SAST with Semgrep
1fb72a1 
Add a Static Application Security Test (SAST) scan with Semgrep [1].
Semgrep supports scanning JavaScript, Dockerfiles, and configuration
files such as GitHub Actions workflows.

Harden-runner is not configured for this job because it doesn't work
with container-based jobs.

--
1. https://semgrep.dev
@ericcornelissen ericcornelissen added ci Relates to continuous integration dependencies Relates to the project's dependencies security Relates to security labels Mar 8, 2023
@ericcornelissen ericcornelissen force-pushed the sast-semgrep branch 2 times, most recently from 7c7bbc7 to 5c49336 Compare March 8, 2023 11:04
@ericcornelissen
Harden release.yml workflow
6f93b55 
Prevent shell injection in this workflow by capturing the update type as
an environment variable and using the environment variable. This way, the
expansion of the input in the command can't result in shell injection.

Yes, this particular case is not very vulnerable due to 1) limited value
space, and 2) trusted triggers. However, it's hard to guarantee those
variables stay fixed and simple to apply the fix.

This problem was detected by Semgrep (https://semgrep.dev) using a full-
repository scan.
@ericcornelissen ericcornelissen merged commit d062c5e into main Mar 8, 2023
@ericcornelissen ericcornelissen deleted the sast-semgrep branch March 8, 2023 11:10
This was referenced Apr 3, 2023
Merged
Merged
@ericcornelissen ericcornelissen mentioned this pull request Jun 6, 2023
Merged
@ericcornelissen ericcornelissen mentioned this pull request Jun 28, 2023
Merged
@ericcornelissen ericcornelissen mentioned this pull request Nov 28, 2024
Merged
@ericcornelissen ericcornelissen mentioned this pull request Mar 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ci Relates to continuous integration dependencies Relates to the project's dependencies security Relates to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ericcornelissen