Skip to content

ci(security): Semgrep SAST gate (split from #1463) #1797

Description

@ktursunov

Goal

Stand up Semgrep (SAST) as its own security-scan CI gate for the Insight repo. Split out
of the now-closed omnibus PR #1463 so the SAST baseline can be triaged and ratcheted to
blocking independently, per the acceptance criteria of the security-scanner umbrella #1478
(report-only first → gate once the baseline is clean and agreed with the team).

Proposed approach

Lift the sast job from the closed PR #1463 (.github/workflows/security-gates.yml) into its
own workflow/job, running the Semgrep container pinned by digest:

  • semgrep scan --config p/default --exclude-rule generic.secrets.security.detected-generic-secret
    (secret detection is covered by the separate TruffleHog gate).
  • Report-only during ratchet-insemgrep scan runs WITHOUT --error, so findings surface
    but do not block.
  • Exit condition: add --error to hard-fail once the p/default baseline is triaged and clean.

Pre-existing p/default findings to triage before flipping to blocking (owner: QA/TAF):

  • JWT ValidateLifetime (identity service)
  • Dockerfile USER / non-root findings
  • …and the rest of the p/default baseline surfaced on first run.

Acceptance criteria

  • Semgrep p/default runs on PRs to main and on a nightly schedule, surfaced in checks / job summary.
  • Semgrep container image pinned by digest; p/default baseline findings triaged.
  • Follow-up issues filed for actionable findings; suppressions documented in-repo (.semgrepignore / rule excludes).
  • Baseline clean → --error added to make Semgrep blocking, agreed with the team.

Split from #1463 (closed). Part of #1478 (security-scanner umbrella) → Quality Framework Security vector.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions