test pipeline

ormequ · Oct 18, 2024 · 45856d3 · 45856d3
1 parent 8c5a782
commit 45856d3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 23 deletions.
diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml
@@ -14,34 +14,34 @@ jobs:
   # https://semgrep.dev/docs/cli-reference
   semgrep:
     runs-on: ubuntu-24.04
-    env:
-      SEMGREP_RULES: >-
-        p/command-injection
-        p/comment
-        p/cwe-top-25
-        p/default
-        p/gitlab
-        p/gitleaks
-        p/golang
-        p/gosec
-        p/insecure-transport
-        p/owasp-top-ten
-        p/r2c-best-practices
-        p/r2c-bug-scan
-        p/r2c-security-audit
-        p/secrets
-        p/security-audit
-        p/sql-injection
-        p/xss
     container:
       image: semgrep/semgrep
     permissions:
       contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v4
-      - run: semgrep ci --sarif --severity=WARNING > semgrep.sarif
-      - uses: github/codeql-action/upload-sarif@v2
+      - run: semgrep ci --sarif > semgrep.sarif
+        env:
+          SEMGREP_RULES: >-
+            p/command-injection
+            p/comment
+            p/cwe-top-25
+            p/default
+            p/gitlab
+            p/gitleaks
+            p/golang
+            p/gosec
+            p/insecure-transport
+            p/owasp-top-ten
+            p/r2c-best-practices
+            p/r2c-bug-scan
+            p/r2c-security-audit
+            p/secrets
+            p/security-audit
+            p/sql-injection
+            p/xss
+      - uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: semgrep.sarif
         if: always()

diff --git a/.semgrepignore b/.semgrepignore
@@ -1 +1,2 @@
 website/
+*_test.go
diff --git a/selectel/resource_selectel_iam_serviceuser_v1.go b/selectel/resource_selectel_iam_serviceuser_v1.go
@@ -124,7 +124,7 @@ func resourceIAMServiceUserV1Update(ctx context.Context, d *schema.ResourceData,
 
 	password := d.Get("password").(string)
 	if password == importIAMUndefined {
-		password = ""
+		password = "" // nosemgrep
 	}
 
 	opts := serviceusers.UpdateRequest{

diff --git a/selectel/resourse_selectel_secretsmanager_certificate_v1.go b/selectel/resourse_selectel_secretsmanager_certificate_v1.go
@@ -38,7 +38,7 @@ func resourceSecretsManagerCertificateV1() *schema.Resource {
 				Required: true,
 			},
 			"private_key": {
-				Description: "that should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----",
+				Description: "that should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----", // nosemgrep
 				Type:        schema.TypeString,
 				Required:    true,
 				Sensitive:   true,