Merge pull request #1958 from D4rk4/SAST

Implement automatic static code scan with Semgrep & Flawfinder

.github/workflows/sec_sast_flawfinder.yml

@@ -0,0 +1,40 @@
+---
+name: Flawfinder Scan
+
+on:
+  push:
+    branches: [master, develop]
+    paths-ignore:
+      - "**.md"
+      - "version.properties"
+
+jobs:
+  flawfinder:
+      runs-on: ubuntu-latest
+      name: Flawfinder
+
+      steps:
+        # step 1
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        # step 2
+        - name: flawfinder_scan
+          uses: david-a-wheeler/flawfinder@2.0.19
+          with:
+            arguments: '--sarif ./'
+            output: 'flawfinder_report.sarif'
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: flawfinder_report.sarif
+            path: flawfinder_report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: flawfinder_report.sarif
+            category: flawfinder

.github/workflows/sec_sast_semgrep_cron.yml

@@ -0,0 +1,44 @@
+---
+name: Semgrep Full Scan
+
+on:
+  workflow_dispatch:
+    branches:
+      - master
+  schedule:
+    - cron:  '0 1 * * 6'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+
+        # step 1
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        # step 2
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep

.github/workflows/sec_sast_semgrep_pull.yml

@@ -0,0 +1,28 @@
+---
+name: Semgrep Differential Scan
+on:
+  pull_request
+
+jobs:
+
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+
+      # step 1
+      - name: clone application source code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # step 2
+      - name: differential scan
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config="p/default"

.semgrepignore

@@ -1 +1,2 @@
 .github/workflows/main_matrix.yml
+src/mesh/compression/unishox2.c