diff --git a/.github/workflows/salus.yaml b/.github/workflows/salus.yaml index 06f0aeba..195966cb 100644 --- a/.github/workflows/salus.yaml +++ b/.github/workflows/salus.yaml @@ -6,6 +6,18 @@ on: name: Salus security scan jobs: + semgrep: + runs-on: ubuntu-latest + name: Semgrep + steps: + - uses: actions/checkout@v2 + - name: Scan + id: scan + run: | + set -eo pipefail; + python3 -m pip install semgrep; + semgrep scan --error --config https://semgrep.dev/p/trailofbits --config semgrep_configs + salus_scan_job: runs-on: ubuntu-latest name: Salus Security Scan diff --git a/salus-config.yaml b/salus-config.yaml index d872f3d6..e7d6f5d7 100644 --- a/salus-config.yaml +++ b/salus-config.yaml @@ -13,7 +13,6 @@ active_scanners: - Gosec - PatternSearch - RepoNotEmpty - - Semgrep - GoOSV - GoVersionScanner - GoPackageScanner @@ -24,19 +23,6 @@ active_scanners: enforced_scanners: "all" scanner_configs: - Semgrep: - matches: - - config: https://semgrep.dev/p/trailofbits - forbidden: true - - config: semgrep_configs/print.yaml - forbidden: true - exclude: - - pkg/printer - - pkg/utils/log.go - - config: semgrep_configs/writefile.yaml - forbidden: true - exclude: - - pkg/utils/io.go GoVersionScanner: error: min_version: '1.18.0' diff --git a/semgrep_configs/print.yaml b/semgrep_configs/print.yaml index 837586d3..502c1efd 100644 --- a/semgrep_configs/print.yaml +++ b/semgrep_configs/print.yaml @@ -8,3 +8,7 @@ rules: - pattern-regex: fmt\.Print[a-z]* - pattern-regex: fmt\.Fprint[a-z]* severity: ERROR + paths: + exclude: + - /pkg/printer + - /pkg/utils/log.go diff --git a/semgrep_configs/writefile.yaml b/semgrep_configs/writefile.yaml index 4b6bfe7a..bbb91e38 100644 --- a/semgrep_configs/writefile.yaml +++ b/semgrep_configs/writefile.yaml @@ -7,3 +7,6 @@ rules: pattern-either: - pattern: ioutil.WriteFile severity: ERROR + paths: + exclude: + - /pkg/utils/io.go