This repository contains Semgrep rules developed and made public by @Saleor.
To be able to use the rules, the git repository needs to be cloned.
Then a single rule can be run from the clone repository, for example:
semgrep -c /path-to-the-clone-semgrep-rules/the-rule.yml .
Alternatively, all rules can be run:
semgrep -c /path-to-the-clone-semgrep-rules .
| ID | Impact | Confidence | Description |
|---|---|---|---|
| typescript.lang.security.audit.timing-attack-comparison | HIGH | LOW | Checks comparisons against secrets are time-safe. |
| ID | Impact | Confidence | Description |
|---|---|---|---|
| yaml.github-actions.security.audit.shell-script-injection | HIGH | HIGH | Ensures no string interpolations (${{ ... }}) are present inside run blocks of GitHub Actions. |
| yaml.github-actions.security.audit.secrets-without-environment | HIGH | HIGH | Matches GitHub Workflows that use secrets (other than GITHUB_TOKEN) without providing a GitHub Environment (environment keyword). |
| yaml.github-actions.security.audit.global-permissions-used | HIGH | HIGH | Prevents workflows from settings global permissions. |
| yaml.github-actions.security.audit.oidc-id-token-without-environment | HIGH | HIGH | Ensures a environment key is provided whenever using OIDC to external systems are verifying the workflow run is authorized. |
Refer to our guidelines: