mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

implement semgrep in github worflow for project (#1979)

Browse Source
This commit is contained in:
Lenin Alevski
2022-05-15 18:54:22 -07:00
committed by GitHub
parent 1d23bf3d04
commit 076e44e39a
3 changed files with 147 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
.github/workflows/jobs.yaml vendored
View File

@@ -24,6 +24,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ubuntu-latest
strategy:
@@ -92,6 +93,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ubuntu-latest
strategy:
@@ -160,6 +162,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ubuntu-latest
strategy:
@@ -256,6 +259,22 @@ jobs:
curl -L -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/${nancy_version}/nancy-${nancy_version}-linux-amd64 && chmod +x nancy
go list -deps -json ./... | jq -s 'unique_by(.Module.Path)|.[]|select(has("Module"))|.Module' | ./nancy sleuth
semgrep-static-code-analysis:
name: "semgrep checks"
runs-on: ${{ matrix.os }}
container:
image: "returntocorp/semgrep"
strategy:
matrix:
os: [ ubuntu-latest ]
steps:
- name: Check out source code
uses: actions/checkout@v2
- name: Scanning code on ${{ matrix.os }}
continue-on-error: false
run: |
semgrep --config semgrep.yaml $(pwd)/portal-ui --error
no-warnings-and-make-assets:
name: "React Code Has No Warnings and then Make Assets"
runs-on: ${{ matrix.os }}
@@ -350,6 +369,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -428,6 +448,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -506,6 +527,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -585,6 +607,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
timeout-minutes: 5
strategy:
@@ -654,6 +677,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -722,6 +746,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -790,6 +815,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -863,6 +889,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -900,6 +927,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -937,6 +965,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -974,6 +1003,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -1011,6 +1041,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -1048,6 +1079,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -1085,6 +1117,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -1122,6 +1155,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -1167,6 +1201,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ubuntu-latest
strategy:
@@ -1235,6 +1270,7 @@ jobs:
- no-warnings-and-make-assets
- reuse-golang-dependencies
- vulnerable-dependencies-checks
- semgrep-static-code-analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

33
.semgrepignore Normal file
View File

@@ -0,0 +1,33 @@
# Ignore git items
.gitignore
.git/
:include .gitignore
# Common large paths
node_modules/
portal-ui/node_modules/
build/
dist/
.idea/
vendor/
.env/
.venv/
.tox/
*.min.js
# Common test paths
test/
tests/
*_test.go
# Semgrep rules folder
.semgrep
# Semgrep-action log folder
.semgrep_logs/
# Ignore VsCode files
.vscode/
*.code-workspace
*~
.eslintcache

78
semgrep.yaml Normal file
View File

@@ -0,0 +1,78 @@
rules:
- id: js-func-encode-uri-Component
patterns:
- pattern: encodeURIComponent($X)
- pattern-not-inside: |
export const encodeURLString = (...) => {
...
};
message: Use encodeURLString() instead of encodeURIComponent()
languages:
- typescript
- javascript
severity: WARNING
fix: encodeURLString($X)
- id: js-func-encode-uri
patterns:
- pattern: encodeURI($X)
message: Use encodeURLString() instead of encodeURI()
languages:
- typescript
- javascript
severity: WARNING
fix: encodeURLString($X)
- id: js-dangerous-func-document-write
patterns:
- pattern: document.write(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-assign-document-write
patterns:
- pattern: |
$X1 = document
...
$X1.write(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-document-writeln
patterns:
- pattern: document.writeln(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-assign-document-writeln
patterns:
- pattern: |
$X1 = document
...
$X1.writeln(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: react-dangerouslysetinnerhtml
languages:
- typescript
- javascript
message: "Setting HTML from code is risky because its easy to inadvertently expose your users to a cross-site scripting (XSS) attack."
pattern-either:
- pattern: |
<$X dangerouslySetInnerHTML=... />
- pattern: |
{dangerouslySetInnerHTML: ...}
- pattern: |
$X1.innerHTML=...
- pattern: |
$X1.outerHTML=...
- pattern: |
$X1.insertAdjacentHTML=...
severity: WARNING