Merge pull request #1958 from D4rk4/SAST

Implement automatic static code scan with Semgrep & Flawfinder
2025-04-26 01:52:48 +00:00 · 2022-11-20 11:10:19 -06:00 · 2022-11-20 11:10:19 -06:00 · aa553ea5d8
commit aa553ea5d8
parent da48f0704b e54e37a600
5 changed files with 113 additions and 0 deletions
--- a/.github/workflows/sec_sast_flawfinder.yml
+++ b/.github/workflows/sec_sast_flawfinder.yml
@ -0,0 +1,40 @@
+---
+name: Flawfinder Scan
+
+on:
+  push:
+    branches: [master, develop]
+    paths-ignore:
+      - "**.md"
+      - "version.properties"
+
+jobs:
+  flawfinder:
+      runs-on: ubuntu-latest
+      name: Flawfinder
+
+      steps:
+        # step 1
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        # step 2
+        - name: flawfinder_scan
+          uses: david-a-wheeler/flawfinder@2.0.19
+          with:
+            arguments: '--sarif ./'
+            output: 'flawfinder_report.sarif'
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: flawfinder_report.sarif
+            path: flawfinder_report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: flawfinder_report.sarif
+            category: flawfinder
--- a/.github/workflows/sec_sast_flawfinder_pull.yml
+++ b/.github/workflows/sec_sast_flawfinder_pull.yml
--- a/.github/workflows/sec_sast_semgrep_cron.yml
+++ b/.github/workflows/sec_sast_semgrep_cron.yml
@ -0,0 +1,44 @@
+---
+name: Semgrep Full Scan
+
+on:
+  workflow_dispatch:
+    branches:
+      - master
+  schedule:
+    - cron:  '0 1 * * 6'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+
+        # step 1
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        # step 2
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep
--- a/.github/workflows/sec_sast_semgrep_pull.yml
+++ b/.github/workflows/sec_sast_semgrep_pull.yml
@ -0,0 +1,28 @@
+---
+name: Semgrep Differential Scan
+on:
+  pull_request
+
+jobs:
+
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+
+      # step 1
+      - name: clone application source code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # step 2
+      - name: differential scan
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config="p/default"
--- a/.semgrepignore
+++ b/.semgrepignore
@ -1 +1,2 @@
 .github/workflows/main_matrix.yml
+src/mesh/compression/unishox2.c