chore: Move semgrep scanning to separate step

DopplerHQ · Apr 25, 2023 · 16ec162 · 16ec162
1 parent 5885ed6
commit 16ec162
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 14 deletions.
diff --git a/.github/workflows/salus.yaml b/.github/workflows/salus.yaml
@@ -6,6 +6,18 @@ on:
 name: Salus security scan
 
 jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+    name: Semgrep
+    steps:
+      - uses: actions/checkout@v2
+      - name: Scan
+        id: scan
+        run: |
+          set -eo pipefail;
+          python3 -m pip install semgrep;
+          semgrep scan --error --config https://semgrep.dev/p/trailofbits --config semgrep_configs
+
   salus_scan_job:
     runs-on: ubuntu-latest
     name: Salus Security Scan

diff --git a/salus-config.yaml b/salus-config.yaml
@@ -13,7 +13,6 @@ active_scanners:
   - Gosec
   - PatternSearch
   - RepoNotEmpty
-  - Semgrep
   - GoOSV
   - GoVersionScanner
   - GoPackageScanner
@@ -24,19 +23,6 @@ active_scanners:
 enforced_scanners: "all"
 
 scanner_configs:
-  Semgrep:
-    matches:
-      - config: https://semgrep.dev/p/trailofbits
-        forbidden: true
-      - config: semgrep_configs/print.yaml
-        forbidden: true
-        exclude:
-          - pkg/printer
-          - pkg/utils/log.go
-      - config: semgrep_configs/writefile.yaml
-        forbidden: true
-        exclude:
-          - pkg/utils/io.go
   GoVersionScanner:
     error:
       min_version: '1.18.0'
diff --git a/semgrep_configs/print.yaml b/semgrep_configs/print.yaml
@@ -8,3 +8,7 @@ rules:
       - pattern-regex: fmt\.Print[a-z]*
       - pattern-regex: fmt\.Fprint[a-z]*
     severity: ERROR
+    paths:
+      exclude:
+        - /pkg/printer
+        - /pkg/utils/log.go
diff --git a/semgrep_configs/writefile.yaml b/semgrep_configs/writefile.yaml
@@ -7,3 +7,6 @@ rules:
     pattern-either:
       - pattern: ioutil.WriteFile
     severity: ERROR
+    paths:
+      exclude:
+        - /pkg/utils/io.go