SC-7239 - Semgrep and Gitleaks enhancement #215
Conversation
updating the semgrep workflow with PR commenting feature
Deleted the old custom rule as it is not required in the new workflow
Gitleaks is a secret scanning tool that scans for secrets introduced in new pull requests through this workflow
Gitleaks.toml file consists of the patterns of the secrets and sensitive data
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
| - name: Run Gitleaks on PR changes via Docker | ||
| run: | | ||
| docker run --rm -v $(pwd):/repo -w /repo zricethezav/gitleaks:latest detect \ | ||
| --config="/repo/Rule/gitleaks.toml" \ |
There was a problem hiding this comment.
Can you check if this file can be sourced from a centralized location instead of creating a separate gitleaks.toml file in every repository?
There was a problem hiding this comment.
For private repo's we have done the same. But for the public repo's, we are hosting the workflows separately, mainly for the SDK's, as we need to change the file or modify it often to reduce the False positives with respect to the individual repo's.
| -H "Authorization: token $GITHUB_TOKEN" \ | ||
| -H "Accept: application/vnd.github.v3+json" \ | ||
| -d "{\"body\":\"$COMMENT\"}" \ | ||
| "https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/comments" |
There was a problem hiding this comment.
Can you create a separate script for this and execute it, instead of keeping the logic directly in the workflow file?
There was a problem hiding this comment.
In the existing logic, we are using the Git API and commenting it directly on the PR. This is the direct logic, even if we write any other script for the commenting we need to call the api's or the commenting git actions which needs all the same syntax.
Also for the separate script we need to again install the req functions to run that script which again consumes git runner resources.
| script: | | ||
| // Ensure the context has a pull_request | ||
| if (context.payload.pull_request) { | ||
| const prNumber = context.payload.pull_request.number; | ||
| const fs = require('fs'); | ||
| const results = JSON.parse(fs.readFileSync('pretty-results.json', 'utf8')); | ||
| const highFindings = results.filter(result => result.extra && result.extra.severity === 'ERROR'); | ||
| - name: Upload results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: semgrep-results | ||
| path: results.sarif | ||
| // Comment if findings exist | ||
| if (highFindings.length > 0) { | ||
| const comment = `**Semgrep Findings:** Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.`; | ||
| await github.rest.issues.createComment({ | ||
| ...context.repo, | ||
| issue_number: prNumber, | ||
| body: comment | ||
| }); | ||
| } else { | ||
| const noIssuesComment = "**Semgrep findings:** No issues found, Good to merge."; | ||
| await github.rest.issues.createComment({ | ||
| ...context.repo, | ||
| issue_number: prNumber, | ||
| body: noIssuesComment | ||
| }); | ||
| } | ||
| } else { | ||
| console.log("This workflow wasn't triggered by a pull request, so no comment will be added."); | ||
| } |
There was a problem hiding this comment.
Ditto same as above.
There was a problem hiding this comment.
Let’s move this to a centralized location so it can be reused across repositories.
There was a problem hiding this comment.
This is the configuration file for the gitleaks, as we need to modify it often to reduce the False positives with respect to the individual repo's, it is not recommended to move to central repo.
SC-7239 - Semgrep and Gitleaks enhancement