Goal
Stand up Semgrep (SAST) as its own security-scan CI gate for the Insight repo. Split out
of the now-closed omnibus PR #1463 so the SAST baseline can be triaged and ratcheted to
blocking independently, per the acceptance criteria of the security-scanner umbrella #1478
(report-only first → gate once the baseline is clean and agreed with the team).
Proposed approach
Lift the sast job from the closed PR #1463 (.github/workflows/security-gates.yml) into its
own workflow/job, running the Semgrep container pinned by digest:
semgrep scan --config p/default --exclude-rule generic.secrets.security.detected-generic-secret
(secret detection is covered by the separate TruffleHog gate).
- Report-only during ratchet-in —
semgrep scan runs WITHOUT --error, so findings surface
but do not block.
- Exit condition: add
--error to hard-fail once the p/default baseline is triaged and clean.
Pre-existing p/default findings to triage before flipping to blocking (owner: QA/TAF):
- JWT
ValidateLifetime (identity service)
- Dockerfile
USER / non-root findings
- …and the rest of the
p/default baseline surfaced on first run.
Acceptance criteria
Split from #1463 (closed). Part of #1478 (security-scanner umbrella) → Quality Framework Security vector.
Goal
Stand up Semgrep (SAST) as its own security-scan CI gate for the Insight repo. Split out
of the now-closed omnibus PR #1463 so the SAST baseline can be triaged and ratcheted to
blocking independently, per the acceptance criteria of the security-scanner umbrella #1478
(report-only first → gate once the baseline is clean and agreed with the team).
Proposed approach
Lift the
sastjob from the closed PR #1463 (.github/workflows/security-gates.yml) into itsown workflow/job, running the Semgrep container pinned by digest:
semgrep scan --config p/default --exclude-rule generic.secrets.security.detected-generic-secret(secret detection is covered by the separate TruffleHog gate).
semgrep scanruns WITHOUT--error, so findings surfacebut do not block.
--errorto hard-fail once thep/defaultbaseline is triaged and clean.Pre-existing
p/defaultfindings to triage before flipping to blocking (owner: QA/TAF):ValidateLifetime(identity service)USER/ non-root findingsp/defaultbaseline surfaced on first run.Acceptance criteria
p/defaultruns on PRs tomainand on a nightly schedule, surfaced in checks / job summary.p/defaultbaseline findings triaged..semgrepignore/ rule excludes).--erroradded to make Semgrep blocking, agreed with the team.Split from #1463 (closed). Part of #1478 (security-scanner umbrella) → Quality Framework Security vector.