From aaf3c679f066c66efa0239d7971a0e3afc83c467 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:10:41 -0400 Subject: [PATCH 01/27] add security linting --- .github/workflows/security-checks.yml | 49 +++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/security-checks.yml diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml new file mode 100644 index 0000000..1690d7e --- /dev/null +++ b/.github/workflows/security-checks.yml @@ -0,0 +1,49 @@ +name: "Static analysis checks for security vulnerabilities" +on: + workflow_call: + +jobs: + security-lint: + name: "Run all applicable static analysis checks for vulnerabilities and security antipatterns" + runs-on: ubuntu-latest + steps: + - name: "Checkout repository" + uses: actions/checkout@v2 + + - name: "Determine which Semgrep config(s) to use" + run: | + REPO_NAME=${{ github.event.repository.name }} + + if [[ $REPO_NAME =~ "/android/" ]]; then + IS_MOBILE="true" + SEMGREP_RULES="p/java p/kotlin p/javascript p/bash p/yaml" + + elif [[ $REPO_NAME =~ "/apple/" ]]; then + IS_MOBILE="true" + SEMGREP_RULES="p/ci p/javascript p/ruby p/bash p/yaml" + + elif [[ $REPO_NAME =~ "/web/" || $REPO_NAME =~ "/node/" ]]; then + IS_MOBILE="false" + SEMGREP_RULES="p/javascript p/typescript" + + else + IS_MOBILE="false" + SEMGREP_RULES="auto" + fi + + echo "IS_MOBILE=$IS_MOBILE" >> $GITHUB_ENV + echo "SEMGREP_RULES=$SEMGREP_RULES" >> $GITHUB_ENV + + - name: "Run Semgrep" + run: semgrep ci + env: + SEMGREP_RULES: + ${{ env.SEMGREP_RULES }} + + - name: "Install mobsfscan" + if: env.IS_MOBILE == 'true' + run: "pip install mobsfscan" + + - name: "Run mobsfscan" + if: env.IS_MOBILE == 'true' + run: "mobsfscan . --sonarqube" From ad5ad5d2868c66af7f5ac87013d1891a1b453e59 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:15:21 -0400 Subject: [PATCH 02/27] actually trigger a run --- .github/workflows/security-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 1690d7e..9ecf0d2 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -1,7 +1,8 @@ name: "Static analysis checks for security vulnerabilities" on: workflow_call: - + pull_request: # + types: [opened, reopened, synchronize, edited] # jobs: security-lint: name: "Run all applicable static analysis checks for vulnerabilities and security antipatterns" From 1a8098f8bf2dcb70168b3872686b5c3bcf7e33be Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:21:33 -0400 Subject: [PATCH 03/27] pull semgrep --- .github/workflows/security-checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 9ecf0d2..58c3df4 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -36,6 +36,9 @@ jobs: echo "SEMGREP_RULES=$SEMGREP_RULES" >> $GITHUB_ENV - name: "Run Semgrep" + container: + # A Docker image with Semgrep installed. Don't change this. + image: returntocorp/semgrep run: semgrep ci env: SEMGREP_RULES: From 433512582ceae638b3962f4f010d21ac901058c0 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:23:41 -0400 Subject: [PATCH 04/27] trigger run --- .github/workflows/security-checks.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 58c3df4..ff50521 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -37,7 +37,6 @@ jobs: - name: "Run Semgrep" container: - # A Docker image with Semgrep installed. Don't change this. image: returntocorp/semgrep run: semgrep ci env: From 9f75d7b249d6400e61c107ff863e20862deb2576 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:26:00 -0400 Subject: [PATCH 05/27] trigger run --- .github/workflows/security-checks.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index ff50521..e092fbb 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -1,8 +1,7 @@ name: "Static analysis checks for security vulnerabilities" on: workflow_call: - pull_request: # - types: [opened, reopened, synchronize, edited] # + jobs: security-lint: name: "Run all applicable static analysis checks for vulnerabilities and security antipatterns" From b55b72b11336e3b4379774221d20c32e07b362bd Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:31:44 -0400 Subject: [PATCH 06/27] trigger run --- .github/workflows/security-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index e092fbb..c6c6e3a 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -1,7 +1,8 @@ name: "Static analysis checks for security vulnerabilities" on: workflow_call: - + pull_request: # + types: [opened, reopened, synchronize, edited, ready_for_review, review_requested, assigned ] # jobs: security-lint: name: "Run all applicable static analysis checks for vulnerabilities and security antipatterns" From ab49c8476d5506165dc229e713d716b77ef060c9 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:49:37 -0400 Subject: [PATCH 07/27] trigger run --- .github/workflows/security-checks.yml | 31 ++++++++++++++++++++------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index c6c6e3a..047a4dd 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -1,11 +1,11 @@ name: "Static analysis checks for security vulnerabilities" on: workflow_call: - pull_request: # + pull_request: # TODO types: [opened, reopened, synchronize, edited, ready_for_review, review_requested, assigned ] # jobs: security-lint: - name: "Run all applicable static analysis checks for vulnerabilities and security antipatterns" + name: "Determine which checks to run and set environmental variables" runs-on: ubuntu-latest steps: - name: "Checkout repository" @@ -35,18 +35,33 @@ jobs: echo "IS_MOBILE=$IS_MOBILE" >> $GITHUB_ENV echo "SEMGREP_RULES=$SEMGREP_RULES" >> $GITHUB_ENV + echo "IS_MOBILE=$IS_MOBILE and SEMGREP_RULES=$SEMGREP_RULES" + + run-semgrep: + name: "Run Semgrep to find vulnerabilities and security antipatterns" + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + if: (github.actor != 'dependabot[bot]') # skip for permissions issues for dependabot-opened PR's + steps: + - name: "Checkout repository" + uses: actions/checkout@v3 + - name: "Run Semgrep" - container: - image: returntocorp/semgrep run: semgrep ci env: SEMGREP_RULES: ${{ env.SEMGREP_RULES }} - - name: "Install mobsfscan" - if: env.IS_MOBILE == 'true' - run: "pip install mobsfscan" + run-mobsfscan: + name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations" + runs-on: ubuntu-latest + steps: + - name: "Checkout repository" + uses: actions/checkout@v3 - name: "Run mobsfscan" if: env.IS_MOBILE == 'true' - run: "mobsfscan . --sonarqube" + uses: MobSF/mobsfscan@main + with: + args: '. --sonarqube' From 23973a2c24f6005d765a519c97d6523652906990 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 16:55:59 -0400 Subject: [PATCH 08/27] trigger run --- .github/workflows/security-checks.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 047a4dd..aea2e78 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -48,10 +48,7 @@ jobs: uses: actions/checkout@v3 - name: "Run Semgrep" - run: semgrep ci - env: - SEMGREP_RULES: - ${{ env.SEMGREP_RULES }} + run: "semgrep ci --config='${{ env.SEMGREP_RULES }}'" run-mobsfscan: name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations" From bf948554458dafa759f6662f2c3604a94a9c92d6 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 17:33:25 -0400 Subject: [PATCH 09/27] trigger run --- .github/workflows/security-checks.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index aea2e78..918fc52 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -48,7 +48,9 @@ jobs: uses: actions/checkout@v3 - name: "Run Semgrep" - run: "semgrep ci --config='${{ env.SEMGREP_RULES }}'" + run: "semgrep ci" + env: + SEMGREP_RULES: ${{ env.SEMGREP_RULES }} run-mobsfscan: name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations" From 4f4da7971f44176028bec3f6e67ca2efa9f2a79d Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 17:48:35 -0400 Subject: [PATCH 10/27] set explicit dependencies --- .github/workflows/security-checks.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 918fc52..f9d47ed 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -1,12 +1,15 @@ name: "Static analysis checks for security vulnerabilities" on: workflow_call: - pull_request: # TODO - types: [opened, reopened, synchronize, edited, ready_for_review, review_requested, assigned ] # + pull_request: # REMOVE + types: [opened, reopened, synchronize, edited, ready_for_review, review_requested, assigned ] jobs: - security-lint: + set-scan-configs: name: "Determine which checks to run and set environmental variables" runs-on: ubuntu-latest + #outputs: + # IS_MOBILE: ${{ steps.step1.outputs.test }} + # SEMGREP_CONFIGS: ${{ steps.step1.outputs.test }} steps: - name: "Checkout repository" uses: actions/checkout@v2 @@ -39,6 +42,7 @@ jobs: run-semgrep: name: "Run Semgrep to find vulnerabilities and security antipatterns" + needs: set-scan-configs runs-on: ubuntu-latest container: image: returntocorp/semgrep @@ -54,6 +58,7 @@ jobs: run-mobsfscan: name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations" + needs: set-scan-configs runs-on: ubuntu-latest steps: - name: "Checkout repository" From e461e8831ea471b5365ec1f7746595241702cc77 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 7 Sep 2022 17:50:03 -0400 Subject: [PATCH 11/27] test --- .github/workflows/security-checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index f9d47ed..05608d6 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -51,6 +51,9 @@ jobs: - name: "Checkout repository" uses: actions/checkout@v3 + - name: "test" + run: "echo ${{ env.SEMGREP_RULES }}" + - name: "Run Semgrep" run: "semgrep ci" env: From f466c4f5dd91cfa4c1a807b31376f7aa76ff9076 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 14:49:06 -0400 Subject: [PATCH 12/27] Persist outputs between jobs --- .github/workflows/security-checks.yml | 42 +++++++++++++++++---------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 05608d6..b7a1141 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -7,38 +7,45 @@ jobs: set-scan-configs: name: "Determine which checks to run and set environmental variables" runs-on: ubuntu-latest - #outputs: - # IS_MOBILE: ${{ steps.step1.outputs.test }} - # SEMGREP_CONFIGS: ${{ steps.step1.outputs.test }} + outputs: + IS_MOBILE: ${{ steps.set-mobsfscan.outputs.test }} + SEMGREP_RULES: ${{ steps.set-semgrep.outputs.test }} steps: - name: "Checkout repository" uses: actions/checkout@v2 - name: "Determine which Semgrep config(s) to use" + id: set-semgrep run: | REPO_NAME=${{ github.event.repository.name }} if [[ $REPO_NAME =~ "/android/" ]]; then - IS_MOBILE="true" SEMGREP_RULES="p/java p/kotlin p/javascript p/bash p/yaml" - elif [[ $REPO_NAME =~ "/apple/" ]]; then - IS_MOBILE="true" SEMGREP_RULES="p/ci p/javascript p/ruby p/bash p/yaml" - elif [[ $REPO_NAME =~ "/web/" || $REPO_NAME =~ "/node/" ]]; then - IS_MOBILE="false" SEMGREP_RULES="p/javascript p/typescript" + else + SEMGREP_RULES="auto" + fi + + echo "::set-output name=IS_MOBILE::$SEMGREP_RULES" + echo "Setting SEMGREP_RULES to: $SEMGREP_RULES" + - name: "Enable mobsfscan if this is a mobile repo" + id: set-mobsfscan + run: | + REPO_NAME=${{ github.event.repository.name }} + + if [[ $REPO_NAME =~ "/android/" || $REPO_NAME =~ "/apple/" ]]; then + IS_MOBILE="true" else IS_MOBILE="false" - SEMGREP_RULES="auto" fi - echo "IS_MOBILE=$IS_MOBILE" >> $GITHUB_ENV - echo "SEMGREP_RULES=$SEMGREP_RULES" >> $GITHUB_ENV + echo "::set-output name=IS_MOBILE::$IS_MOBILE" + echo "Setting IS_MOBILE to: $IS_MOBILE" - echo "IS_MOBILE=$IS_MOBILE and SEMGREP_RULES=$SEMGREP_RULES" run-semgrep: name: "Run Semgrep to find vulnerabilities and security antipatterns" @@ -46,23 +53,28 @@ jobs: runs-on: ubuntu-latest container: image: returntocorp/semgrep - if: (github.actor != 'dependabot[bot]') # skip for permissions issues for dependabot-opened PR's + if: + # skip for permissions issues for dependabot-opened PR's + (github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 - name: "test" - run: "echo ${{ env.SEMGREP_RULES }}" + run: "echo SEMGREP_RULES=${{ env.SEMGREP_RULES }}" - name: "Run Semgrep" run: "semgrep ci" env: - SEMGREP_RULES: ${{ env.SEMGREP_RULES }} + SEMGREP_RULES: ${{ needs.set-scan-configs.outputs.SEMGREP_RULES }} run-mobsfscan: name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations" needs: set-scan-configs runs-on: ubuntu-latest + if: + # skip for permissions issues for dependabot-opened PR's + (github.actor != 'dependabot[bot]' && ${{needs.set-scan-configs.outputs.IS_MOBILE}} == "true") steps: - name: "Checkout repository" uses: actions/checkout@v3 From 62a834bb4f804d09f6f23c6eb899e63d46b045f4 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 14:52:54 -0400 Subject: [PATCH 13/27] repeat test --- .github/workflows/security-checks.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index b7a1141..288b1ec 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -46,7 +46,6 @@ jobs: echo "::set-output name=IS_MOBILE::$IS_MOBILE" echo "Setting IS_MOBILE to: $IS_MOBILE" - run-semgrep: name: "Run Semgrep to find vulnerabilities and security antipatterns" needs: set-scan-configs @@ -61,7 +60,7 @@ jobs: uses: actions/checkout@v3 - name: "test" - run: "echo SEMGREP_RULES=${{ env.SEMGREP_RULES }}" + run: "echo SEMGREP_RULES=${{ needs.set-scan-configs.outputs.SEMGREP_RULES }}" - name: "Run Semgrep" run: "semgrep ci" @@ -74,7 +73,7 @@ jobs: runs-on: ubuntu-latest if: # skip for permissions issues for dependabot-opened PR's - (github.actor != 'dependabot[bot]' && ${{needs.set-scan-configs.outputs.IS_MOBILE}} == "true") + (github.actor != 'dependabot[bot]' && ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == "true") steps: - name: "Checkout repository" uses: actions/checkout@v3 From 033d42b6dfe4805b63677dd0de2d5a37e0505415 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 14:54:11 -0400 Subject: [PATCH 14/27] repeat test --- .github/workflows/security-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 288b1ec..c6ab35d 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -29,7 +29,7 @@ jobs: SEMGREP_RULES="auto" fi - echo "::set-output name=IS_MOBILE::$SEMGREP_RULES" + echo "::set-output name=SEMGREP_RULES::$SEMGREP_RULES" echo "Setting SEMGREP_RULES to: $SEMGREP_RULES" - name: "Enable mobsfscan if this is a mobile repo" From 8e938c8221898e7bd247ea030c8d7d8f4c5aaf74 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 14:56:36 -0400 Subject: [PATCH 15/27] set value on outputs --- .github/workflows/security-checks.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index c6ab35d..a717e96 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -8,8 +8,10 @@ jobs: name: "Determine which checks to run and set environmental variables" runs-on: ubuntu-latest outputs: - IS_MOBILE: ${{ steps.set-mobsfscan.outputs.test }} - SEMGREP_RULES: ${{ steps.set-semgrep.outputs.test }} + IS_MOBILE: + value: ${{ steps.set-mobsfscan.outputs.test }} + SEMGREP_RULES: + value: ${{ steps.set-semgrep.outputs.test }} steps: - name: "Checkout repository" uses: actions/checkout@v2 From 21daed1d8dcfc9a58a91a46284dc47a912137fe7 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 15:03:29 -0400 Subject: [PATCH 16/27] electric boogaloo --- .github/workflows/security-checks.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index a717e96..68c83f0 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -8,10 +8,8 @@ jobs: name: "Determine which checks to run and set environmental variables" runs-on: ubuntu-latest outputs: - IS_MOBILE: - value: ${{ steps.set-mobsfscan.outputs.test }} - SEMGREP_RULES: - value: ${{ steps.set-semgrep.outputs.test }} + IS_MOBILE: ${{ steps.set-mobsfscan.outputs.IS_MOBILE }} + SEMGREP_RULES: ${{ steps.set-semgrep.outputs.SEMGREP_RULES }} steps: - name: "Checkout repository" uses: actions/checkout@v2 @@ -81,7 +79,6 @@ jobs: uses: actions/checkout@v3 - name: "Run mobsfscan" - if: env.IS_MOBILE == 'true' uses: MobSF/mobsfscan@main with: args: '. --sonarqube' From 7112e9d6c581029b56a50a0c06743c371fcd44d9 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 15:09:50 -0400 Subject: [PATCH 17/27] electric boogaloo --- .github/workflows/security-checks.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 68c83f0..7bc69bf 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -12,7 +12,7 @@ jobs: SEMGREP_RULES: ${{ steps.set-semgrep.outputs.SEMGREP_RULES }} steps: - name: "Checkout repository" - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: "Determine which Semgrep config(s) to use" id: set-semgrep @@ -53,15 +53,13 @@ jobs: container: image: returntocorp/semgrep if: - # skip for permissions issues for dependabot-opened PR's + # Skip dependabot-opened PR's due to permission issues + # See https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions (github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 - - name: "test" - run: "echo SEMGREP_RULES=${{ needs.set-scan-configs.outputs.SEMGREP_RULES }}" - - name: "Run Semgrep" run: "semgrep ci" env: @@ -72,12 +70,15 @@ jobs: needs: set-scan-configs runs-on: ubuntu-latest if: - # skip for permissions issues for dependabot-opened PR's - (github.actor != 'dependabot[bot]' && ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == "true") + # Skip dependabot-opened PR's due to permissions issues + (${{ needs.set-scan-configs.outputs.IS_MOBILE }} == "true" && github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 + - name: "Echo IS_MOBILE" + run: "echo ${{ needs.set-scan-configs.outputs.IS_MOBILE }}" + - name: "Run mobsfscan" uses: MobSF/mobsfscan@main with: From 13676677c9c7a2d2eb695a057d415c7c04e9cd0a Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 15:11:13 -0400 Subject: [PATCH 18/27] electric boogaloo --- .github/workflows/security-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 7bc69bf..c43439a 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest if: # Skip dependabot-opened PR's due to permissions issues - (${{ needs.set-scan-configs.outputs.IS_MOBILE }} == "true" && github.actor != 'dependabot[bot]') + ((${{ needs.set-scan-configs.outputs.IS_MOBILE }} == "true") && (github.actor != 'dependabot[bot]')) steps: - name: "Checkout repository" uses: actions/checkout@v3 From e6c87ab2d798efcbc3ac4dd104c03217cb4e67c2 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 15:12:27 -0400 Subject: [PATCH 19/27] different bool --- .github/workflows/security-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index c43439a..17d0a34 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -38,9 +38,9 @@ jobs: REPO_NAME=${{ github.event.repository.name }} if [[ $REPO_NAME =~ "/android/" || $REPO_NAME =~ "/apple/" ]]; then - IS_MOBILE="true" + IS_MOBILE=${{ true }} else - IS_MOBILE="false" + IS_MOBILE=${{ false }} fi echo "::set-output name=IS_MOBILE::$IS_MOBILE" From 11d73d57cf6303d1a640b07ca676edcef1a5f46d Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 15:14:23 -0400 Subject: [PATCH 20/27] different bool --- .github/workflows/security-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 17d0a34..90dfbcd 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest if: # Skip dependabot-opened PR's due to permissions issues - ((${{ needs.set-scan-configs.outputs.IS_MOBILE }} == "true") && (github.actor != 'dependabot[bot]')) + (${{ needs.set-scan-configs.outputs.IS_MOBILE }} == ${{ true }} && github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 From 87350a52f46f62f86634dc1dc85344a957117097 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 16:08:16 -0400 Subject: [PATCH 21/27] stupid bug --- .github/workflows/security-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 90dfbcd..8f18bb2 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -54,7 +54,7 @@ jobs: image: returntocorp/semgrep if: # Skip dependabot-opened PR's due to permission issues - # See https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions + # From https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions (github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest if: # Skip dependabot-opened PR's due to permissions issues - (${{ needs.set-scan-configs.outputs.IS_MOBILE }} == ${{ true }} && github.actor != 'dependabot[bot]') + (!${{ needs.set-scan-configs.outputs.IS_MOBILE }} && github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 From 76ef6980ea104ef775027662d6cfa9c27eee8bca Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 16:10:07 -0400 Subject: [PATCH 22/27] stupid bug? --- .github/workflows/security-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 8f18bb2..1422ff2 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest if: # Skip dependabot-opened PR's due to permissions issues - (!${{ needs.set-scan-configs.outputs.IS_MOBILE }} && github.actor != 'dependabot[bot]') + (${{ needs.set-scan-configs.outputs.IS_MOBILE }} == 'false' && github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 From ac5b57ca9e2edaebc318aab027ef9690e15ee8a1 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 16:11:49 -0400 Subject: [PATCH 23/27] stupid bug? --- .github/workflows/security-checks.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 1422ff2..42a5d0a 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -75,11 +75,17 @@ jobs: steps: - name: "Checkout repository" uses: actions/checkout@v3 + if: + ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == 'false' - name: "Echo IS_MOBILE" run: "echo ${{ needs.set-scan-configs.outputs.IS_MOBILE }}" + if: + ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == ${{ false }} - name: "Run mobsfscan" uses: MobSF/mobsfscan@main with: args: '. --sonarqube' + if: + ${{ needs.set-scan-configs.outputs.IS_MOBILE }} != 'true' From 2fe51017434e0a8575dc44a5088b197174b8822b Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 16:14:39 -0400 Subject: [PATCH 24/27] stupid docs --- .github/workflows/security-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index 42a5d0a..a026e70 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -71,12 +71,12 @@ jobs: runs-on: ubuntu-latest if: # Skip dependabot-opened PR's due to permissions issues - (${{ needs.set-scan-configs.outputs.IS_MOBILE }} == 'false' && github.actor != 'dependabot[bot]') + (needs.set-scan-configs.outputs.IS_MOBILE == format('false') && github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 if: - ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == 'false' + ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == format('false') - name: "Echo IS_MOBILE" run: "echo ${{ needs.set-scan-configs.outputs.IS_MOBILE }}" From 3ee2b0acb893a03540535a15d1c4d39e28629b1b Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Thu, 8 Sep 2022 16:16:01 -0400 Subject: [PATCH 25/27] stupid --- .github/workflows/security-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index a026e70..a2ccb9a 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest if: # Skip dependabot-opened PR's due to permissions issues - (needs.set-scan-configs.outputs.IS_MOBILE == format('false') && github.actor != 'dependabot[bot]') + (needs.set-scan-configs.outputs.IS_MOBILE == format('true') && github.actor != 'dependabot[bot]') steps: - name: "Checkout repository" uses: actions/checkout@v3 From 1225483b51a3fb836f9c63ce1a8798b6b3c8d74e Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Fri, 9 Sep 2022 14:05:40 -0400 Subject: [PATCH 26/27] done --- .github/workflows/security-checks.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index a2ccb9a..d01f3cf 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -1,8 +1,9 @@ name: "Static analysis checks for security vulnerabilities" on: workflow_call: - pull_request: # REMOVE - types: [opened, reopened, synchronize, edited, ready_for_review, review_requested, assigned ] + pull_request: + types: [opened, reopened, synchronize, edited] + jobs: set-scan-configs: name: "Determine which checks to run and set environmental variables" @@ -30,7 +31,7 @@ jobs: fi echo "::set-output name=SEMGREP_RULES::$SEMGREP_RULES" - echo "Setting SEMGREP_RULES to: $SEMGREP_RULES" + echo "Setting SEMGREP_RULES to \'$SEMGREP_RULES\'" - name: "Enable mobsfscan if this is a mobile repo" id: set-mobsfscan @@ -44,7 +45,7 @@ jobs: fi echo "::set-output name=IS_MOBILE::$IS_MOBILE" - echo "Setting IS_MOBILE to: $IS_MOBILE" + echo "Setting IS_MOBILE to \'$IS_MOBILE\'" run-semgrep: name: "Run Semgrep to find vulnerabilities and security antipatterns" @@ -75,17 +76,8 @@ jobs: steps: - name: "Checkout repository" uses: actions/checkout@v3 - if: - ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == format('false') - - - name: "Echo IS_MOBILE" - run: "echo ${{ needs.set-scan-configs.outputs.IS_MOBILE }}" - if: - ${{ needs.set-scan-configs.outputs.IS_MOBILE }} == ${{ false }} - name: "Run mobsfscan" uses: MobSF/mobsfscan@main with: args: '. --sonarqube' - if: - ${{ needs.set-scan-configs.outputs.IS_MOBILE }} != 'true' From 3d02ffcc48d9d7e68a090ea2e5c7a61524605da9 Mon Sep 17 00:00:00 2001 From: Adrian Kim Date: Wed, 14 Sep 2022 11:56:12 -0400 Subject: [PATCH 27/27] Correct certain config names, enable diff-aware scans --- .github/workflows/security-checks.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml index d01f3cf..84eabd3 100644 --- a/.github/workflows/security-checks.yml +++ b/.github/workflows/security-checks.yml @@ -21,9 +21,9 @@ jobs: REPO_NAME=${{ github.event.repository.name }} if [[ $REPO_NAME =~ "/android/" ]]; then - SEMGREP_RULES="p/java p/kotlin p/javascript p/bash p/yaml" + SEMGREP_RULES="p/java p/kotlin p/javascript r/bash r/yaml" elif [[ $REPO_NAME =~ "/apple/" ]]; then - SEMGREP_RULES="p/ci p/javascript p/ruby p/bash p/yaml" + SEMGREP_RULES="p/ci p/javascript p/ruby r/bash r/yaml" elif [[ $REPO_NAME =~ "/web/" || $REPO_NAME =~ "/node/" ]]; then SEMGREP_RULES="p/javascript p/typescript" else @@ -61,10 +61,23 @@ jobs: - name: "Checkout repository" uses: actions/checkout@v3 + - name: "Determine base branch" + run: | + if [[ -n $(git branch --list main) ]]; then + echo "SEMGREP_BASELINE_REF=main" >> $GITHUB_ENV + elif [[ -n $(git branch --list master) ]]; then + echo "SEMGREP_BASELINE_REF=master" >> $GITHUB_ENV + else + echo "Could not find either main or master branch! Defaulting to HEAD^" + echo "SEMGREP_BASELINE_REF=HEAD^" >> $GITHUB_ENV + "{environment_variable_name}={value}" >> $GITHUB_ENV + fi + - name: "Run Semgrep" run: "semgrep ci" env: SEMGREP_RULES: ${{ needs.set-scan-configs.outputs.SEMGREP_RULES }} + SEMGREP_BASELINE_REF: ${{ env.SEMGREP_BASELINE_REF }} # enables diff-aware scans run-mobsfscan: name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations"