ci(security): Semgrep SAST gate (report-only) (#1797)#1822
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Standalone semgrep.yml running p/default (secrets excluded — TruffleHog owns those) in report-only mode: findings upload to Code Scanning (SARIF) and a job-summary count, but no --error so the check never blocks. PR + nightly + dispatch triggers, digest-pinned image, SHA-pinned actions. Adds .semgrepignore for build/dep artifacts and waives the known JWT ValidateLifetime finding inline (#346). Split from #1463; part of #1478. Signed-off-by: Konstantin Tursunov <Konstantin.Tursunov@constructor.tech>
- Bump actions/checkout v4.2.2 -> v5.0.1 and codeql-action/upload-sarif v3.32.0 -> v4.32.6 (SHA-pinned) to clear the Node-20 deprecation and the CodeQL Action v3 sunset warnings from the first run. - Switch the JWT #346 waiver from an inline rule-id nosemgrep to a bare // nosemgrep: under the full p/default ruleset the fully-namespaced rule id does not match, so no suppression was emitted and the alert stayed open. The bare form reliably emits SARIF suppressions[inSource], which Code Scanning honors as a dismissed alert. Signed-off-by: Konstantin Tursunov <Konstantin.Tursunov@constructor.tech>
Inline nosemgrep does not dismiss a GitHub Code Scanning alert (GitHub does not honor third-party SARIF suppressions[inSource]), so the marker touched product code for no effect. Restore Program.cs; the JWT #346 finding — like the rest of the report-only baseline — will be dismissed in the Code Scanning UI/API (state=dismissed, won't-fix, ref #346) during the Phase-6 triage, before the --error flip. Signed-off-by: Konstantin Tursunov <Konstantin.Tursunov@constructor.tech>
c82a7c8 to
74356a3
Compare
Replace the bare finding count with a severity table plus a collapsible per-rule breakdown rendered from the SARIF (stdlib only, no jq). Signed-off-by: Konstantin Tursunov <Konstantin.Tursunov@constructor.tech>
p/default has thin Rust/C# security coverage (0 findings across 184 Rust files); add the dedicated language packs so the actual backend code is scanned, not just CI/YAML. Surfaces real Rust (unsafe-usage, temp-dir) and C# (unsigned-security-token) findings p/default missed. Still report-only. Signed-off-by: Konstantin Tursunov <Konstantin.Tursunov@constructor.tech>
What
Stands up Semgrep (SAST) as its own report-only CI gate, split out of the
closed omnibus PR #1463 so the baseline can be triaged and ratcheted to blocking
independently (per the security-scanner umbrella #1478).
.github/workflows/semgrep.yml— singlesastjob:semgrep scan --config p/default --exclude-rule generic.secrets.security.detected-generic-secret(secret detection is owned by the separate TruffleHog gate).
--error, so findings surface but never block.main+ nightlyschedule(03:27 UTC) +workflow_dispatch; no path filter.docker runonubuntu-latest(socheckout/upload-sarifkeep the host runner's Node); SHA-pinned actions; job-scoped
security-events: write;concurrencycancel-in-progress; fork-PR-safe SARIF upload..semgrepignore— prunes build/dependency artifacts (target/,.venv/,node_modules/,dist/);application and test source stay in scope.
Program.cs— the pre-existing JWTValidateLifetime = falsefinding is waived inline(
// nosemgrep: …+#346), the one known high-severity item in the baseline.Baseline (first
p/defaultrun: 124 findings)Report-only on purpose — the baseline is not clean yet. Dominant category is 109
github-actions-mutable-action-tagfindings in the existing workflows (a repo-wideSHA-pin effort, tracked separately), plus ~13 product/tooling findings and 2 Dockerfile
missing-userfindings. Triage happens in Code Scanning after this lands.Exit condition (separate follow-up PR)
Flip to blocking by adding
--errorand markingsasta required check once the baseline isclean (zero un-waived findings) — which depends on the mutable-tag follow-up + triaging the
remaining findings. Not part of this PR.
Test plan
actionlintclean; the new workflow self-scans to 0p/defaultfindings (fully pinned).Closes #1797.
Part of #1478. Split from #1463.