ci: Add SARIF upload to GitHub Security Dashboard #2929
Conversation
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the 📝 Walkthrough📝 Walkthrough📝 Walkthrough📝 Walkthrough📝 Walkthrough📝 WalkthroughWalkthroughThe changes in the pull request enhance the GitHub Actions workflow for Semgrep by adding a checkout step for the Changes
Possibly related PRs
Suggested reviewers
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (1)
.github/workflows/semgrep.yml (1)
33-36: Correct implementation of SARIF upload to GitHub Security Dashboard.The addition of the SARIF file upload step is correctly implemented using the official GitHub action. This will effectively integrate the Semgrep findings into the GitHub Advanced Security Dashboard.
For improved clarity and maintainability, consider extracting the SARIF filename into an environment variable. This can be achieved by modifying the workflow as follows:
name: Semgrep on: workflow_dispatch: {} pull_request: {} push: branches: - develop schedule: - cron: '56 22 * * *' jobs: semgrep: name: semgrep/ci runs-on: ubuntu-20.04 env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + SARIF_FILE: semgrep-github.sarif container: image: semgrep/semgrep if: (github.actor != 'dependabot[bot]') steps: - uses: actions/checkout@v4 - name: Checkout semgrep-utilities repo uses: actions/checkout@v4 with: repository: zeta-chain/semgrep-utilities path: semgrep-utilities - run: semgrep ci --json --output semgrep-findings.json - - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif semgrep-github.sarif + - run: python semgrep-utilities/utilities/github-sarif-helper/src/semgrep-json-to-sarif.py --json semgrep-findings.json --sarif ${{ env.SARIF_FILE }} - name: Upload SARIF file for GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: semgrep-github.sarif + sarif_file: ${{ env.SARIF_FILE }}This modification enhances readability and reduces the risk of inconsistencies if the filename needs to be changed in the future.
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
📒 Files selected for processing (1)
- .github/workflows/semgrep.yml (1 hunks)
🔇 Additional comments (2)
.github/workflows/semgrep.yml (2)
19-27: Appropriate implementation of semgrep-utilities checkout.The addition of the semgrep-utilities repository checkout is correctly implemented. The use of a specific path for the checkout ensures proper isolation of the utilities.
29-29: Correct modification of semgrep ci command for JSON output.The semgrep ci command has been appropriately updated to generate JSON output, which is essential for the subsequent SARIF conversion process.
* add semgrep sarif upload to GHAS * added comment to clairfy the usage of the utility script * use ghcr.io instead * add tag to image * bad org name --------- Co-authored-by: jkan2 <5862123+jkan2@users.noreply.github.com>
…guration (#2953) * update artillery config * more fixes * feat: integrate authenticated calls smart contract functionality into protocol (#2904) * e2e tests and modifications for authenticated call * extend test with sender check and revert case * separate tests into separate files * cleanup * withdraw and call support and tests * bump protocol contracts * split tests into separate files * small cleanup * fmt * generate * lint * changelog * PR comments * fix case in proto * bump vote inbound gas limit in zetaclient * fix test * generate * fixing tests * call options non empty * generate * test fix * rename gateway caller * pr comments rename tests * PR comment * generate * tests * update tests fixes * tests fixes * fix * test fix * feat!: bank precompile (#2860) * feat: bank precompile * feat: add deposit * feat: extend deposit * PoC: spend amount on behalf of EOA * feat: expand deposit with transferFrom * use CallEVM instead on ZRC20 bindings * divide the contract into different files * initialize e2e testing * remove duplicated funding * add codecov * expand e2e * fix: wait for deposit tx to be mined * apply first round of reviews * cover al error types test * fixes using time.Since * Include CallContract interface * fix eth events in deposit precompile method * emit Deposit event * add withdraw function * finalize withdraw * pack event arguments generically * add high level event function * first round of review fixes * second round of reviews * create bank account when instantiating bank * e2e: add good and bad scenarios * modify fmt * chore: group input into eventData struct * docs: document bank's methods * chore: generate files with suffix .gen.go * chore: assert errors with errorIs * chore: reset e2e test by resetting allowance * test: add first batch of unit test * test: cover all cases * test: complete unit test cases * include review suggestions * include e2e through contract * test: add e2e through contract complete * test: revert balance between tests * Update precompiles/bank/const.go Co-authored-by: Lucas Bertrand <lucas.bertrand.22@gmail.com> * fix: changed coin denom --------- Co-authored-by: skosito <skostic9242@gmail.com> Co-authored-by: Lucas Bertrand <lucas.bertrand.22@gmail.com> * feat: add sender to revert context (#2919) * e2e tests and modifications for authenticated call * extend test with sender check and revert case * separate tests into separate files * cleanup * withdraw and call support and tests * bump protocol contracts * split tests into separate files * small cleanup * fmt * generate * lint * changelog * PR comments * fix case in proto * bump vote inbound gas limit in zetaclient * fix test * generate * fixing tests * call options non empty * generate * test fix * rename gateway caller * pr comments rename tests * PR comment * generate * tests * add sender in test contract * extend e2e tests * generate * changelog * PR comment * generate * update tests fixes * tests fixes * fix * test fix * gas limit fixes * PR comment fix * fix bad merge * ci: add option to enable monitoring stack (#2927) * ci: add option to enable monitoring stack * start prometheus faster * update * ci: add rpcimportable test (#2817) * ci: add rpcimportable test * add ci * fmt * use github.com/btcsuite/btcd/btcutil in pkg/chains * remove app imports types tests * use standalone sdkconfig package * fix policies test * move crosschain keeper tests from types to keeper * never seal config in tests * use zeta-chain/ethermint#126 * add some comments * use merged ethermint hash * show resulting go.mod * ci: Add SARIF upload to GitHub Security Dashboard (#2929) * add semgrep sarif upload to GHAS * added comment to clairfy the usage of the utility script * use ghcr.io instead * add tag to image * bad org name --------- Co-authored-by: jkan2 <5862123+jkan2@users.noreply.github.com> * fix: add recover to InitChainer to diplay informative message when starting a node from block 1 (#2925) * add recover to InitChainer * generate files * add docs link to error message * move InitChainErrorMessage to app.go * Update app/app.go Co-authored-by: Francisco de Borja Aranda Castillejo <borja@zetachain.com> * use const for message --------- Co-authored-by: Francisco de Borja Aranda Castillejo <borja@zetachain.com> * test: add wait for block to tss migration test (#2931) * add wait for block to tss migration test * add comments * refactor identifiers * rename checkNumberOfTssGenerated to checkNumberOfTSSGenerated * chore: allow full zetaclient config overlay (#2945) * test(e2e): add gateway upgrade in upgrade test (#2932) * add gateway upgrade * change reference * add v2 setup for all tests * test v2 in light upgrade * refactor setup to use custody v2 directly * chore: improve localnet build performance (#2928) * chore: improve localnet build performance * propagate NODE_VERSION and NODE_COMMIT * update hashes --------- Co-authored-by: skosito <skostic9242@gmail.com> Co-authored-by: Francisco de Borja Aranda Castillejo <borja@zetachain.com> Co-authored-by: Lucas Bertrand <lucas.bertrand.22@gmail.com> Co-authored-by: Alex Gartner <alexg@zetachain.com> Co-authored-by: jkan2 <jkan2@users.noreply.github.com> Co-authored-by: jkan2 <5862123+jkan2@users.noreply.github.com> Co-authored-by: Tanmay <tanmay@zetachain.com>
Description
Since the findings are located in the semgrep UI, this will allow it to be uploaded to the security dashboard (under code scanning in the security tab). The python script is from semgrep themselves and it transforms the original
sariffrom semgrep to a more useable readable format in GHAS.Also changed the image pull to be in ghcr instead of docker hub to prevent pull rate limiting and potential docker hub outages
How Has This Been Tested?
Summary by CodeRabbit
New Features
Chores