github.com/prebid/prebid-server/v2@v2.18.0/.github/workflows/semgrep.yml (about) 1 name: Adapter semgrep checks 2 on: 3 pull_request_target: 4 paths: ["adapters/*/*.go"] 5 permissions: 6 pull-requests: write 7 jobs: 8 semgrep-check: 9 runs-on: ubuntu-latest 10 steps: 11 - name: Checkout repo 12 uses: actions/checkout@v4 13 with: 14 fetch-depth: 0 15 ref: ${{github.event.pull_request.head.ref}} 16 repository: ${{github.event.pull_request.head.repo.full_name}} 17 18 - name: Calculate diff 19 id: calculate_diff 20 uses: actions/github-script@v7 21 with: 22 result-encoding: string 23 script: | 24 const utils = require('./.github/workflows/helpers/pull-request-utils.js') 25 // consider only non-test Go files that are part of the adapter code 26 function fileNameFilter(filename) { 27 return filename.startsWith("adapters/") && filename.split("/").length > 2 && filename.endsWith(".go") && !filename.endsWith("_test.go") 28 } 29 const helper = utils.diffHelper({github, context, fileNameFilter, event: "${{github.event.action}}", testName: "${{github.job}}"}) 30 return await helper.buildDiff() 31 32 - name: Should run semgrep 33 id: should_run_semgrep 34 run: | 35 hasChanges=$(echo '${{ steps.calculate_diff.outputs.result }}' | jq .pullRequest.hasChanges) 36 echo "hasChanges=${hasChanges}" >> $GITHUB_OUTPUT 37 38 - name: Install semgrep 39 if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true') 40 run: | 41 pip3 install semgrep==1.22.0 42 semgrep --version 43 44 - name: Run semgrep tests 45 id: run_semgrep_tests 46 if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true') 47 run: | 48 unqouted_string=$(echo '${{ steps.calculate_diff.outputs.result }}' | jq .pullRequest.files | tr -d '"') 49 outputs=$(semgrep --gitlab-sast --config=.semgrep/adapter $unqouted_string | jq '[.vulnerabilities[] | {"file": .location.file, "severity": .severity, "start": .location.start_line, "end": .location.end_line, "message": (.message | gsub("\\n"; "\n"))}]' | jq -c | jq -R) 50 echo "semgrep_result=${outputs}" >> "$GITHUB_OUTPUT" 51 52 - name: Add pull request comment 53 id: add_pull_request_comment 54 if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true') 55 uses: actions/github-script@v7 56 with: 57 github-token: ${{ secrets.GITHUB_TOKEN }} 58 result-encoding: string 59 script: | 60 const utils = require('./.github/workflows/helpers/pull-request-utils.js') 61 const helper = utils.semgrepHelper({ 62 github, context, event: "${{github.event.action}}", 63 semgrepResult: JSON.parse(${{ steps.run_semgrep_tests.outputs.semgrep_result }}), 64 diff: ${{ steps.calculate_diff.outputs.result }}, headSha: "${{github.event.pull_request.head.sha}}" 65 }) 66 const { previousScan, currentScan } = await helper.addReviewComments() 67 return previousScan.unAddressedComments + currentScan.newComments 68 69 - name: Adapter semgrep checks result 70 if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true') 71 run: | 72 if [ "${{steps.add_pull_request_comment.outputs.result}}" -ne "0" ]; then 73 echo 'Semgrep has found "${{steps.add_pull_request_comment.outputs.result}}" errors' 74 exit 1 75 else 76 echo 'Semgrep did not find any errors in the pull request changes' 77 fi