From e67bc914501062716d24280f9557866024107e27 Mon Sep 17 00:00:00 2001 From: mikecstone <88253766+mikecstone@users.noreply.github.com> Date: Thu, 28 May 2026 19:49:13 -0400 Subject: [PATCH 1/3] Create semgrep.yml --- .github/workflows/semgrep.yml | 49 +++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..4c48600f --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '18 7 * * 6' + +permissions: + contents: read + +jobs: + semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v4 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() From 033cafaea0b9ed73906f3353b97eb2d6d711eec4 Mon Sep 17 00:00:00 2001 From: mikecstone <88253766+mikecstone@users.noreply.github.com> Date: Thu, 28 May 2026 19:54:31 -0400 Subject: [PATCH 2/3] Update semgrep.yml --- .github/workflows/semgrep.yml | 100 ++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 36 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 4c48600f..24740c78 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,49 +1,77 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow file requires a free account on Semgrep.dev to -# manage rules, file ignores, notifications, and more. -# -# See https://semgrep.dev/docs - name: Semgrep - + on: push: - branches: [ "main" ] + branches: ["main", "develop"] pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: ["main", "develop"] schedule: - - cron: '18 7 * * 6' - -permissions: - contents: read - + - cron: '0 8 * * 1' # weekly full scan every Monday 8am + jobs: semgrep: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Scan + name: Semgrep Scan runs-on: ubuntu-latest + container: + image: semgrep/semgrep + + permissions: + contents: read + security-events: write # required for SARIF upload to GitHub Security tab + steps: - # Checkout project source - - uses: actions/checkout@v4 - - # Scan code using project's configuration on https://semgrep.dev/manage - - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # full history needed for accurate diff on PRs + + - name: Run SAST (Code) + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + run: | + semgrep ci \ + --config=auto \ + --sarif \ + --output=semgrep-sast.sarif + continue-on-error: true # remove this if you want SAST to block the pipeline + + - name: Run SCA (Supply Chain) + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + run: | + semgrep ci \ + --supply-chain \ + --sarif \ + --output=semgrep-sca.sarif + continue-on-error: true + + - name: Run Secrets Detection + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + run: | + semgrep ci \ + --secrets \ + --sarif \ + --output=semgrep-secrets.sarif + continue-on-error: true + + - name: Upload SAST results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} - publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} - generateSarif: "1" - - # Upload SARIF file generated in previous step - - name: Upload SARIF file + sarif_file: semgrep-sast.sarif + category: semgrep-sast + if: always() + + - name: Upload SCA results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep-sca.sarif + category: semgrep-sca + if: always() + + - name: Upload Secrets results to GitHub Security uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: semgrep.sarif + sarif_file: semgrep-secrets.sarif + category: semgrep-secrets if: always() From 83efc041b9654ce646234e4b3e7bcbacbbd10643 Mon Sep 17 00:00:00 2001 From: mikecstone <88253766+mikecstone@users.noreply.github.com> Date: Thu, 28 May 2026 20:00:46 -0400 Subject: [PATCH 3/3] Update requirements.txt --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 96714824..4e983744 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,4 +10,4 @@ MarkupSafe==2.0.1 requests==2.27.1 urllib3==1.26.8 waitress==2.1.1 -Werkzeug==2.0.1 +Werkzeug==2.0.0