feat: add global baseline #26
Annotations
2 errors and 10 warnings
|
Export SARIF Results:
example-bad.yaml#L6
Potential script injection through string interpolation%2C use an intermediate environment variable instead of ${{ ... }}.
|
|
Run Semgrep Rules
Process completed with exit code 1.
|
|
Export SARIF Results
Syntax error%3A Syntax error at line saleor-rules/.git/hooks/push-to-checkout.sample%3A26%3A `2` was unexpected
|
|
Export SARIF Results
Syntax error%3A Syntax error at line saleor-rules/.git/hooks/pre-rebase.sample%3A41%3A `2` was unexpected
|
|
Export SARIF Results
Syntax error%3A Syntax error at line saleor-rules/.git/hooks/pre-push.sample%3A47%3A `2` was unexpected
|
|
Export SARIF Results
Syntax error%3A Syntax error at line .git/hooks/push-to-checkout.sample%3A26%3A `2` was unexpected
|
|
Export SARIF Results
Syntax error%3A Syntax error at line .git/hooks/pre-rebase.sample%3A41%3A `2` was unexpected
|
|
Export SARIF Results
Syntax error%3A Syntax error at line .git/hooks/pre-push.sample%3A47%3A `2` was unexpected
|
|
Export SARIF Results:
saleor-rules/.github/workflows/action-run-semgrep.yaml#L198
This GitHub Actions workflow uses secrets but does not configure a job-level environment. Secrets should be scoped to a GitHub Environment to enforce protection rules (reviewers%2C deployment gates%2C etc) and to reduce blast radius.
|
|
Export SARIF Results:
saleor-rules/.github/workflows/action-run-semgrep.yaml#L195
This GitHub Actions workflow uses secrets but does not configure a job-level environment. Secrets should be scoped to a GitHub Environment to enforce protection rules (reviewers%2C deployment gates%2C etc) and to reduce blast radius.
|
|
Export SARIF Results:
saleor-rules/.github/workflows/action-run-semgrep.yaml#L194
This GitHub Actions workflow uses secrets but does not configure a job-level environment. Secrets should be scoped to a GitHub Environment to enforce protection rules (reviewers%2C deployment gates%2C etc) and to reduce blast radius.
|
|
Export SARIF Results:
.github/workflows/action-run-semgrep.yaml#L146
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository%2C as they would need to generate a SHA-1 collision for a valid Git object payload.
|
Loading