-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Semgrep、Secretlintを実行するWorkflowの追加 [shepherd]
- Loading branch information
1 parent
863001d
commit fd1bfe9
Showing
2 changed files
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# PR単位で差分があるファイルに対してSecretlint(シークレットスキャンツール)を実行し、 | ||
# アクセストークンなど秘匿すべき値をPRコメントで指摘するワークフローです | ||
# 詳細は以下のドキュメントをご参照ください | ||
# https://andpad-dev.esa.io/posts/8984 | ||
|
||
name: secretlint | ||
|
||
on: | ||
pull_request | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
secretlint: | ||
name: secretlint | ||
runs-on: ubuntu-latest | ||
# Skip any PR created by dependabot to avoid permission issues | ||
if: (github.actor != 'dependabot[bot]') | ||
steps: | ||
- name: Check out code | ||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
with: | ||
fetch-depth: 0 | ||
- uses: reviewdog/action-setup@8e48baae926e97848f0863ae248f3b08e089c81f # v1.0.5 | ||
- id: changed-files | ||
uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37.0.5 | ||
- name: Run secretlint | ||
env: | ||
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: | | ||
docker run \ | ||
-v $(pwd):/workdir \ | ||
-w /workdir \ | ||
secretlint/secretlint:v7.0.2@sha256:f0b1a4944a6a0f3d6a494c063b807ff6febc762f6fdf52466b2b8e3b278966d2 \ | ||
secretlint --format checkstyle ${{ steps.changed-files.outputs.all_changed_files }} \ | ||
| sed 's#="/workdir/#="#g' \ | ||
| reviewdog -f=checkstyle -reporter=github-pr-review -diff="git diff FETCH_HEAD" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# PR単位で差分があるファイルに対してSemgrep(SASTツール)を実行し、 | ||
# 脆弱性につながる可能性のある記述をPRコメントで指摘するワークフローです | ||
# 詳細は以下のドキュメントをご参照ください | ||
# https://andpad-dev.esa.io/posts/8984 | ||
|
||
name: semgrep | ||
|
||
on: | ||
pull_request | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
semgrep: | ||
name: semgrep | ||
runs-on: ubuntu-latest | ||
# Skip any PR created by dependabot to avoid permission issues | ||
if: (github.actor != 'dependabot[bot]') | ||
steps: | ||
- name: Check out code | ||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
with: | ||
fetch-depth: 0 | ||
- uses: reviewdog/action-setup@8e48baae926e97848f0863ae248f3b08e089c81f # v1.0.5 | ||
- id: changed-files | ||
uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37.0.5 | ||
- id: run-semgrep | ||
name: Run semgrep | ||
env: | ||
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: | | ||
docker run \ | ||
-v $(pwd):/workdir \ | ||
--workdir /workdir \ | ||
returntocorp/semgrep:1.27.0@sha256:7026020ebb6c1aa477431a2ba550df3ae4d080822e391d03bb816eeac700a36b \ | ||
semgrep scan --config auto --severity WARNING --json ${{ steps.changed-files.outputs.all_changed_files }} \ | ||
| jq -r '.results[] | "\(.path):\(.start.line):\(.start.col): \(.extra.message)"' \ | ||
| sed 's#^/workdir/##' \ | ||
| reviewdog \ | ||
-efm="%f:%l:%c: %m" \ | ||
-diff="git diff FETCH_HEAD" \ | ||
-level=warning \ | ||
-reporter=github-pr-review |