Skip to content

CID-17067 - Add renovate to update semgrep#110

Merged
btr-rmconsole-2[bot] merged 1 commit into
masterfrom
update
Sep 22, 2025
Merged

CID-17067 - Add renovate to update semgrep#110
btr-rmconsole-2[bot] merged 1 commit into
masterfrom
update

Conversation

@andrewlundberg-wf
Copy link
Copy Markdown
Contributor

@andrewlundberg-wf andrewlundberg-wf commented Sep 17, 2025
edited
Loading

The gha-security-scanner is currently pinned to a version of semgrep that is over a year old. This dependency should be updated and maintained to ensure we are using the latest security rules and fixes.

Acceptance Criteria
Update the scanner to use the latest version of semgrep (see: https://github.com/semgrep/semgrep/releases

Implement automatic updates so that semgrep is updated at least weekly

Reference point for current version pin:https://github.com/Workiva/gha-security-scanner/blob/master/src/main.ts#L48

Sample of run with renovate configuration

@btr-rmconsole-6
Copy link
Copy Markdown

btr-rmconsole-6 Bot commented Sep 17, 2025
edited by btr-rmconsole-2 Bot
Loading

Merge Requirements Met ✅

Request Rosie to automerge this pull request by including @Workiva/release-management-p in a comment.

General Information

Ticket(s):

Code Review(s): #110
Release Image Tags:

Reviewers: jonasray-wf

Additional Information

Watchlist Notifications: None

	When this pull is merged I will add it to the following release:
	Version: gha-security-scanner v0.1.2
	Release Ticket(s): None

Note: This is a shortened report. Click here to view Rosie's full evaluation.
Last updated on Monday, September 22 01:11 PM CST

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 17, 2025
edited
Loading

Security Audit Results

Please direct questions to #support-infosec.

Commit Signing

✅ All commits are signed

Raven

✅ 40 global file checks pass
✅ 93 global keyword checks pass

Images

✅ No Dockerfiles in this PR

Workflows

.github/workflows/gha-security-scanner.yaml found.

@andrewlundberg-wf andrewlundberg-wf changed the title wip CID-17067 - Add renovate to update semgrep Sep 19, 2025
@andrewlundberg-wf andrewlundberg-wf marked this pull request as ready for review September 19, 2025 20:12
@andrewlundberg-wf andrewlundberg-wf requested review from a team as code owners September 19, 2025 20:12
jonasray-wf
jonasray-wf approved these changes Sep 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@jonasray-wf jonasray-wf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Workiva/release-management-p

rmconsole-wf
rmconsole-wf approved these changes Sep 22, 2025
View reviewed changes
Copy link
Copy Markdown

@rmconsole-wf rmconsole-wf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 from RM

@btr-rmconsole-2 btr-rmconsole-2 Bot merged commit a3d9085 into master Sep 22, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonasray-wf jonasray-wf jonasray-wf approved these changes

@rmconsole-wf rmconsole-wf rmconsole-wf approved these changes

Assignees

No one assigned

Labels

Merge Requirements Met RM Ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewlundberg-wf @jonasray-wf @rmconsole-wf