Bump returntocorp/semgrep-action from fcd5ab7459e8d91cb1777481980d1b18b4fc6735 to 713efdd345f3035192eaa63f56867b88e63e4e5d

[dependabot]

Bumps returntocorp/semgrep-action from fcd5ab7459e8d91cb1777481980d1b18b4fc6735 to 713efdd345f3035192eaa63f56867b88e63e4e5d.

Changelog

Sourced from returntocorp/semgrep-action's changelog.

Upcoming - Date

2022-06-23

Changed

• Use semgrep 0.100.0

2022-05-25

Changed

• Use semgrep 0.94.0

2022-05-12

Changed

• Use semgrep 0.92.0

2022-04-26

Changed

• Use semgrep 0.90.0

Fixed

• Allow --config and --audit-on multiple times (#566)

2022-04-20

Changed

• Use semgrep 0.89.0

• The version of Git included in the Docker image has been bumped to 2.35.2; this means that the safe directory check added in response to CVE-2022-24765 now applies to scans done with semgrep-agent.

  If the directory you scan is owned by a different user than semgrep-agent runs with, you will need to run git config --global --add safe.directory /YOUR/REPO/PATH before scanning, see discussion on the release PR.

2022-03-24

Changed

• Use semgrep 0.86.0
• Move all functionality to semgrep ci and run that command

... (truncated)

Commits

• 713efdd Update README.md
• 5497961 Merge pull request #756 from returntocorp/brendongo-patch-2
• ef27b52 Update README.md
• 0bdb313 Merge pull request #747 from returntocorp/gha/bump-version-1.36.0-5861876524-1
• 7a75d63 Bump semgrep to 1.36.0
• 483865d Merge pull request #745 from returntocorp/revert-744-gha/bump-version-1.35.0-...
• da78f37 Revert "chore: Release Version 1.35.0"
• b39e16e Merge pull request #744 from returntocorp/gha/bump-version-1.35.0-5814777398-1
• 51519dc Bump semgrep to 1.35.0
• 5f52783 Merge pull request #734 from returntocorp/gha/bump-version-1.32.0-5548538127-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated the Semgrep action version in the GitHub Actions workflow for improved code scanning capabilities.

[coderabbitai]

Walkthrough

The change involves an update to the Semgrep action in a GitHub Actions workflow configuration file. The action reference has been modified from an older commit hash to a newer one, indicating an upgrade that may include enhancements or fixes without altering the existing workflow parameters or context.

Changes

File	Change Summary
.github/workflows/semgrep.yml	Updated Semgrep action reference from commit hash fcd5ab7... to 713efdd....

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub Actions
    participant Semgrep as Semgrep Action
    participant Code as Codebase

    GitHub->>Semgrep: Trigger workflow
    Semgrep->>Code: Analyze code
    Code-->>Semgrep: Return analysis results
    Semgrep-->>GitHub: Report findings

Loading

🐇 "In the meadow, we hop and play,
With Semgrep’s tune, we’ll scan away.
A new version leaps, oh what a sight,
Bugs and issues take flight!
With every change, our code shines bright!" 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 82212fa and 02b8859.

Files selected for processing (1)

• .github/workflows/semgrep.yml (1 hunks)

Additional comments not posted (1)

.github/workflows/semgrep.yml (1)

38-38: LGTM! Verify compatibility with the new version.

The Semgrep action version has been updated to a newer commit. Ensure that the new version is compatible and does not introduce breaking changes.

The code changes are approved.

Run the following script to verify the compatibility of the new version:

Verification successful

---

Semgrep Action Version Update Verified

The Semgrep action in .github/workflows/semgrep.yml is correctly updated to version 713efdd345f3035192eaa63f56867b88e63e4e5d. No other versions are present, confirming the update is accurate.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the compatibility of the new Semgrep action version.

# Test: Check the Semgrep action version in the workflow file. Expect: Only occurrences of the new version.
rg --type yaml 'returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d'

Length of output: 85

---

Script:

#!/bin/bash
# Description: Search for all occurrences of the Semgrep action in the repository to verify versions.

# Test: List all occurrences of the Semgrep action to check for different versions.
rg --type yaml 'returntocorp/semgrep-action@'

Length of output: 45

---

Script:

#!/bin/bash
# Description: Verify the existence of the semgrep.yml file and check its contents for the Semgrep action.

# Check if the semgrep.yml file exists
if [ -f ".github/workflows/semgrep.yml" ]; then
  # Output the contents of the semgrep.yml file to verify the Semgrep action version
  cat .github/workflows/semgrep.yml
else
  echo "The file .github/workflows/semgrep.yml does not exist."
fi

Length of output: 1618