From e563bfae4a9b430473485d7fe0cb39bac443529b Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Fri, 26 Jan 2024 15:54:12 +0000 Subject: [PATCH] chore(ci): reorganize semgrep files Signed-off-by: Roberto Scolaro --- .github/workflows/insecure-api.yml | 27 ------------------- .github/workflows/semgrep_checks.yml | 22 ++++++++++++++- .../{ => insecure-api}/insecure-api-gets.yaml | 0 .../insecure-api-sprintf-vsprintf.yaml | 0 .../insecure-api-strcpy-stpcpy-strcat.yaml | 0 .../{ => insecure-api}/insecure-api-strn.yaml | 0 6 files changed, 21 insertions(+), 28 deletions(-) delete mode 100644 .github/workflows/insecure-api.yml rename semgrep/{ => insecure-api}/insecure-api-gets.yaml (100%) rename semgrep/{ => insecure-api}/insecure-api-sprintf-vsprintf.yaml (100%) rename semgrep/{ => insecure-api}/insecure-api-strcpy-stpcpy-strcat.yaml (100%) rename semgrep/{ => insecure-api}/insecure-api-strn.yaml (100%) diff --git a/.github/workflows/insecure-api.yml b/.github/workflows/insecure-api.yml deleted file mode 100644 index 1f565ca3f0..0000000000 --- a/.github/workflows/insecure-api.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Insecure API check -on: - pull_request: - branches: - - master - - 'release/**' - - 'maintainers/**' - -jobs: - insecure-api: - name: check-insecure-api - runs-on: ubuntu-latest - container: - image: returntocorp/semgrep:1.41.0 - steps: - - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Scan PR for insecure API usage 🕵️ - run: | - semgrep scan \ - --error \ - --metrics=off \ - --baseline-commit ${{ github.event.pull_request.base.sha }} \ - --config=./semgrep \ - --exclude-rule=absolute-includes diff --git a/.github/workflows/semgrep_checks.yml b/.github/workflows/semgrep_checks.yml index 241a6bce05..6507e1ca32 100644 --- a/.github/workflows/semgrep_checks.yml +++ b/.github/workflows/semgrep_checks.yml @@ -1,10 +1,30 @@ -name: Absolute include paths check +name: Semgrep Checks on: pull_request: branches: - master + - 'release/**' + - 'maintainers/**' jobs: + insecure-api: + name: check-insecure-api + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep:1.41.0 + steps: + - name: Checkout Libs ⤵️ + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: Scan PR for insecure API usage 🕵️ + run: | + semgrep scan \ + --error \ + --metrics=off \ + --baseline-commit ${{ github.event.pull_request.base.sha }} \ + --config=./semgrep/insecure-api + absolute-include-paths: name: check-absolute-include-paths runs-on: ubuntu-latest diff --git a/semgrep/insecure-api-gets.yaml b/semgrep/insecure-api/insecure-api-gets.yaml similarity index 100% rename from semgrep/insecure-api-gets.yaml rename to semgrep/insecure-api/insecure-api-gets.yaml diff --git a/semgrep/insecure-api-sprintf-vsprintf.yaml b/semgrep/insecure-api/insecure-api-sprintf-vsprintf.yaml similarity index 100% rename from semgrep/insecure-api-sprintf-vsprintf.yaml rename to semgrep/insecure-api/insecure-api-sprintf-vsprintf.yaml diff --git a/semgrep/insecure-api-strcpy-stpcpy-strcat.yaml b/semgrep/insecure-api/insecure-api-strcpy-stpcpy-strcat.yaml similarity index 100% rename from semgrep/insecure-api-strcpy-stpcpy-strcat.yaml rename to semgrep/insecure-api/insecure-api-strcpy-stpcpy-strcat.yaml diff --git a/semgrep/insecure-api-strn.yaml b/semgrep/insecure-api/insecure-api-strn.yaml similarity index 100% rename from semgrep/insecure-api-strn.yaml rename to semgrep/insecure-api/insecure-api-strn.yaml