Conversation
|
jonasflorencio seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Semgrep and jq | ||
| run: | | ||
| pip install semgrep jq | ||
| - name: Run Semgrep Scan and Save JSON | ||
| run: | | ||
| semgrep --config p/go --json > semgrep-report.json | ||
| - name: Count Critical and Error findings | ||
| id: findings | ||
| run: | | ||
| count=$(jq '[.results[] | select(.extra.severity == "CRITICAL" or .extra.severity == "ERROR")] | length' semgrep-report.json) | ||
| echo "count=$count" >> $GITHUB_OUTPUT | ||
| - name: Send findings to webhook | ||
| env: | ||
| ROCKETCHAT_WEBHOOK_URL: ${{ secrets.ROCKETCHAT_WEBHOOK_URL }} | ||
| run: | | ||
| curl -X POST "$ROCKETCHAT_WEBHOOK_URL" \ | ||
| -H "Content-Type: application/json" \ | ||
| --data "{\"alias\":\"Security Notifications\",\"text\":\"**Semgrep Report - ($GITHUB_REPOSITORY)**\n\n**Finding count (Critical and Error):** ${{ steps.findings.outputs.count }}\"}" | ||
| - name: Print findings in logs | ||
| run: | | ||
| echo "=== ALL SEMGREP FINDINGS ===" | ||
| jq '.results[] | {rule: .check_id, file: .path, line: .start.line, severity: .extra.severity, message: .extra.message}' semgrep-report.json No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To resolve the flagged issue, add a permissions: block to restrict the GITHUB_TOKEN permissions for the workflow. This should be placed at the top level (applies to all jobs, unless overridden), above or directly below on: but before the jobs: block. Based on the actions performed in this workflow (checking out code, installing packages, reading JSON, sending webhook), the minimal necessary scope is likely contents: read. This change will ensure the workflow adheres to least privilege practices and future-proofs against broader permissions leaking in. No additional imports, methods, or definitions are required—just a YAML edit.
| @@ -3,6 +3,8 @@ | ||
| schedule: | ||
| - cron: '0 13 * * 1' | ||
|
|
||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| semgrep: | ||
| runs-on: ubuntu-latest |
4 participants
What? ⛵
The security team is implementing in the private repositories according to this documentation, the semgrep, a SAST tool capable of identifying potential vulnerabilities in our repository.
Why? 🤔
The goal of this implementation is to reduce the likelihood of having vulnerabilities in our source-code
Links 🌎