From fd1bfe9866072a279a3fcce852a1c33d015458a3 Mon Sep 17 00:00:00 2001 From: onodera0314 <17252514+onodera0314@users.noreply.github.com> Date: Wed, 19 Jul 2023 14:46:32 +0900 Subject: [PATCH] =?UTF-8?q?Semgrep=E3=80=81Secretlint=E3=82=92=E5=AE=9F?= =?UTF-8?q?=E8=A1=8C=E3=81=99=E3=82=8BWorkflow=E3=81=AE=E8=BF=BD=E5=8A=A0?= =?UTF-8?q?=20[shepherd]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/secretlint.yml | 39 +++++++++++++++++++++++++++ .github/workflows/semgrep.yml | 45 ++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 .github/workflows/secretlint.yml create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/secretlint.yml b/.github/workflows/secretlint.yml new file mode 100644 index 0000000..163d719 --- /dev/null +++ b/.github/workflows/secretlint.yml @@ -0,0 +1,39 @@ +# PR単位で差分があるファイルに対してSecretlint(シークレットスキャンツール)を実行し、 +# アクセストークンなど秘匿すべき値をPRコメントで指摘するワークフローです +# 詳細は以下のドキュメントをご参照ください +# https://andpad-dev.esa.io/posts/8984 + +name: secretlint + +on: + pull_request + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + secretlint: + name: secretlint + runs-on: ubuntu-latest + # Skip any PR created by dependabot to avoid permission issues + if: (github.actor != 'dependabot[bot]') + steps: + - name: Check out code + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + fetch-depth: 0 + - uses: reviewdog/action-setup@8e48baae926e97848f0863ae248f3b08e089c81f # v1.0.5 + - id: changed-files + uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37.0.5 + - name: Run secretlint + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + docker run \ + -v $(pwd):/workdir \ + -w /workdir \ + secretlint/secretlint:v7.0.2@sha256:f0b1a4944a6a0f3d6a494c063b807ff6febc762f6fdf52466b2b8e3b278966d2 \ + secretlint --format checkstyle ${{ steps.changed-files.outputs.all_changed_files }} \ + | sed 's#="/workdir/#="#g' \ + | reviewdog -f=checkstyle -reporter=github-pr-review -diff="git diff FETCH_HEAD" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..e27ba48 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,45 @@ +# PR単位で差分があるファイルに対してSemgrep(SASTツール)を実行し、 +# 脆弱性につながる可能性のある記述をPRコメントで指摘するワークフローです +# 詳細は以下のドキュメントをご参照ください +# https://andpad-dev.esa.io/posts/8984 + +name: semgrep + +on: + pull_request + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + semgrep: + name: semgrep + runs-on: ubuntu-latest + # Skip any PR created by dependabot to avoid permission issues + if: (github.actor != 'dependabot[bot]') + steps: + - name: Check out code + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + fetch-depth: 0 + - uses: reviewdog/action-setup@8e48baae926e97848f0863ae248f3b08e089c81f # v1.0.5 + - id: changed-files + uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37.0.5 + - id: run-semgrep + name: Run semgrep + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + docker run \ + -v $(pwd):/workdir \ + --workdir /workdir \ + returntocorp/semgrep:1.27.0@sha256:7026020ebb6c1aa477431a2ba550df3ae4d080822e391d03bb816eeac700a36b \ + semgrep scan --config auto --severity WARNING --json ${{ steps.changed-files.outputs.all_changed_files }} \ + | jq -r '.results[] | "\(.path):\(.start.line):\(.start.col): \(.extra.message)"' \ + | sed 's#^/workdir/##' \ + | reviewdog \ + -efm="%f:%l:%c: %m" \ + -diff="git diff FETCH_HEAD" \ + -level=warning \ + -reporter=github-pr-review