-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add Semgrep to CI #2912
ci: Add Semgrep to CI #2912
Conversation
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the WalkthroughWalkthroughA new GitHub Actions workflow named Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant GitHub Actions
participant Semgrep
User->>GitHub Actions: Trigger workflow (manual, PR, push)
GitHub Actions->>GitHub Actions: Check conditions (e.g., not Dependabot)
GitHub Actions->>Semgrep: Run semgrep ci command
Semgrep-->>GitHub Actions: Return results
GitHub Actions-->>User: Complete workflow
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Outside diff range and nitpick comments (3)
.github/workflows/semgrep.yml (3)
1-13
: Workflow triggers are well-defined and comprehensive.The workflow configuration for name and triggers is appropriate and covers all necessary scenarios. The use of
workflow_dispatch
,pull_request
, and conditionalpush
events ensures that Semgrep runs when needed. The daily scheduled run is a good practice for regular checks.Consider updating the comment on line 12 to be more specific:
- # random HH:MM to avoid a load spike on GitHub Actions at 00:00 + # Run at 22:56 UTC daily to avoid load spikes on GitHub Actions at 00:00
14-22
: Job configuration is appropriate, with a suggestion for improvement.The job configuration is well-structured and follows security best practices by using a secret for the Semgrep token. The use of a Docker container ensures a consistent environment for Semgrep execution.
Consider updating the Ubuntu version to use the latest LTS version:
- runs-on: ubuntu-20.04 + runs-on: ubuntu-latestThis change will ensure that the workflow always uses the latest LTS version of Ubuntu, reducing the need for manual updates in the future.
23-25
: Job steps are correct but can be enhanced.The use of
actions/checkout@v4
and thesemgrep ci
command are appropriate for running Semgrep in a CI environment.Consider enhancing the Semgrep execution step to capture the output and handle potential errors:
steps: - uses: actions/checkout@v4 - name: Run Semgrep run: | set -eo pipefail semgrep ci | tee semgrep_output.txt continue-on-error: true - name: Check Semgrep output run: | if grep -q "Findings:" semgrep_output.txt; then echo "Semgrep found issues. Please review the output." exit 1 fiThis change will:
- Capture Semgrep output to a file.
- Allow the workflow to continue even if Semgrep finds issues.
- Provide a clear indication of whether Semgrep found any problems.
- Fail the job if issues are found, ensuring they are addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't seem to be actually running? it exited instantly?
run `semgrep login` before using `semgrep ci` or use `semgrep scan` and set `--config`
thanks for catching that @gartnera completely missed the token part as I previously used their bot to create it on my tests (which would commit to |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #2912 +/- ##
===========================================
+ Coverage 67.27% 67.49% +0.21%
===========================================
Files 380 380
Lines 21175 21169 -6
===========================================
+ Hits 14245 14287 +42
+ Misses 6264 6213 -51
- Partials 666 669 +3 |
Description
adds semgrep to github actions
How Has This Been Tested?
Summary by CodeRabbit
New Features
Bug Fixes