-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.ts
More file actions
110 lines (99 loc) · 3.51 KB
/
main.ts
File metadata and controls
110 lines (99 loc) · 3.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import * as core from '@actions/core'
import * as fs from 'fs'
import * as path from 'path'
import * as yaml from 'js-yaml'
import * as inputs from './inputs.js'
import * as scanner from './scanner.js'
/**
* Main function for the action. Runs scanner based on inputs.
*
* @returns `Promise` that resolves when the operation is complete.
*/
export async function run(): Promise<void> {
// Required to avoid the changes made in Semgrep Release v1.128.0
delete process.env.HTTP_PROXY
delete process.env.http_proxy
delete process.env.HTTPS_PROXY
delete process.env.https_proxy
const scannerInput = inputs.getScannerInput()
let scannerInstance: scanner.Scanner
if (scannerInput === 'semgrep') {
scannerInstance = {
command: 'semgrep',
args: [
'--quiet',
'--config',
'auto',
'--sarif',
'--sarif-output',
'semgrep.sarif',
'--output',
'/dev/null',
// Exclude rules that are mostly false positives (GAS-195)
'--exclude-rule',
'generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value',
'--exclude-rule',
'generic.secrets.security.detected-jwt-token.detected-jwt-token',
'--exclude-rule',
'generic.secrets.security.detected-aws-account-id.detected-aws-account-id',
'--exclude-rule',
'yaml.docker-compose.security.no-new-privileges.no-new-privileges',
'--exclude-rule',
'yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service',
'--exclude-rule',
'yaml.kubernetes.security.run-as-non-root.run-as-non-root',
'--exclude-rule',
'generic.secrets.security.detected-private-key.detected-private-key' // Duplicate of secret scanning
],
url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.161.0.tar.gz',
version: 'v1.161.0',
installType: scanner.InstallType.Pip
}
} else {
core.setFailed(`${scannerInput} is not supported`)
return
}
// Generates .semgrepignore if it doesn't exist
for (const aviaryName of ['aviary.yaml', 'aviary.yml']) {
if (!fs.existsSync('.semgrepignore') && fs.existsSync(aviaryName)) {
interface Aviary {
exclude: string[]
}
const aviary = yaml.load(fs.readFileSync(aviaryName, 'utf8'), {
json: true // Ignore duplicate keys in mappings
}) as Aviary
const exclude = aviary?.exclude || []
// Walks a directory recursively, appending files that match "exclude" to .semgrepignore
// Function is defined inline because it references aviary which is defined conditionally
function walk(directory: string): void {
for (const fileName of fs.readdirSync(directory)) {
let filePath = path.join(directory, fileName)
let isDirectory = false
try {
isDirectory = fs.statSync(filePath).isDirectory()
} catch {
// Ignore broken symlinks
}
if (isDirectory) {
filePath = `${filePath}/`
}
if (exclude.some(regex => new RegExp(regex).test(filePath))) {
fs.appendFileSync('.semgrepignore', `${filePath}\n`)
continue
}
if (isDirectory) {
// Recurse into subdirectories
walk(filePath)
}
}
}
walk('.')
break
}
}
try {
await scanner.run(scannerInstance)
} catch (error) {
core.setFailed(`${error instanceof Error ? error.message : String(error)}`)
}
}