feat: add global baseline #26
NyanKiyoshirun-semgrep.yaml
on: pull_request
scanner
/
semgrep/ci
56s
Annotations
2 errors and 10 warnings
|
scanner / semgrep/ci:
example-bad.yaml#L6
Potential script injection through string interpolation%2C use an intermediate environment variable instead of ${{ ... }}.
|
|
scanner / semgrep/ci
Process completed with exit code 1.
|
|
scanner / semgrep/ci
Syntax error%3A Syntax error at line saleor-rules/.git/hooks/push-to-checkout.sample%3A26%3A `2` was unexpected
|
|
scanner / semgrep/ci
Syntax error%3A Syntax error at line saleor-rules/.git/hooks/pre-rebase.sample%3A41%3A `2` was unexpected
|
|
scanner / semgrep/ci
Syntax error%3A Syntax error at line saleor-rules/.git/hooks/pre-push.sample%3A47%3A `2` was unexpected
|
|
scanner / semgrep/ci
Syntax error%3A Syntax error at line .git/hooks/push-to-checkout.sample%3A26%3A `2` was unexpected
|
|
scanner / semgrep/ci
Syntax error%3A Syntax error at line .git/hooks/pre-rebase.sample%3A41%3A `2` was unexpected
|
|
scanner / semgrep/ci
Syntax error%3A Syntax error at line .git/hooks/pre-push.sample%3A47%3A `2` was unexpected
|
|
scanner / semgrep/ci:
saleor-rules/.github/workflows/action-run-semgrep.yaml#L198
This GitHub Actions workflow uses secrets but does not configure a job-level environment. Secrets should be scoped to a GitHub Environment to enforce protection rules (reviewers%2C deployment gates%2C etc) and to reduce blast radius.
|
|
scanner / semgrep/ci:
saleor-rules/.github/workflows/action-run-semgrep.yaml#L195
This GitHub Actions workflow uses secrets but does not configure a job-level environment. Secrets should be scoped to a GitHub Environment to enforce protection rules (reviewers%2C deployment gates%2C etc) and to reduce blast radius.
|
|
scanner / semgrep/ci:
saleor-rules/.github/workflows/action-run-semgrep.yaml#L194
This GitHub Actions workflow uses secrets but does not configure a job-level environment. Secrets should be scoped to a GitHub Environment to enforce protection rules (reviewers%2C deployment gates%2C etc) and to reduce blast radius.
|
|
scanner / semgrep/ci:
.github/workflows/action-run-semgrep.yaml#L146
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository%2C as they would need to generate a SHA-1 collision for a valid Git object payload.
|
Artifacts
Produced during runtime
| Name | Size | Digest | |
|---|---|---|---|
|
Semgrep OSS SARIF Results
Expired
|
1.97 KB |
sha256:c5670cd824bcbb3e447b6bdefee6ffd69755b49779840f19a4a2d1f440d34ba4
|
|