From 8d0c38593b42fdff5d1acce861ff94345cec02b3 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Mon, 15 Sep 2025 09:46:53 +0800 Subject: [PATCH 01/20] Create main.yml --- .github/workflows/main.yml | 59 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..c9674485 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,59 @@ +# REV 1.7 +# 1.0 - initial release +# 1.1 - updated container image address to point to internal cache harbor +# 1.2 - implementing REV version(s) for quick version validation/comparison +# 1.3 - implementing reusable workflow +# 1.4 - implementing auto tagging feature and command flag support (https://github.com/intel-innersource/frameworks.actions.semgrep-auto-tag-scan) +# 1.5 - implementing feature to fail pull request if specified number of high and/or medium findings are present and allow user to input prod branch +# 1.6 - implementing multi-tag support +# 1.7 - use main branch's workflow instead of specified version + +# Name of this GitHub Actions workflow. +name: Semgrep SAST + +on: + # Scan changed files in PRs (diff-aware scanning): + pull_request: {} + + # Scan on-demand through GitHub Actions interface: + workflow_dispatch: {} + + # Scan mainline branches and report all findings: + # Ensure you have the correct branch/es for your project + # Recommend only setting the default branch on push, or branches you push to frequently + push: + branches: ["main"] + + # Schedule the CI job (this method uses cron syntax): + #schedule: + #- cron: '0 0 1 * *' # Sets Semgrep to scan on the 1st of every month at 12:00 AM UTC. + # It is recommended to change the schedule to a random time. + +jobs: + Call-Workflow: + uses: intel-innersource/frameworks.actions.semgrep-static-code-scan/.github/workflows/semgrep.yml@main + with: + # (Required) Please insert the runner group for your project + # Example: runner-group: 'innersource.prod.amr.dind' + runner-group: 'innersource.prod.amr.dind' + # (Optional) Please insert the IAPM ID of the application here + # If you have more than 1 IAPM ID, please separate them with a comma + # If at least 1 ID has not been entered the auto-tagging feature will not work + iapm-ids: '40825' + # (Optional) Please insert the branch that should be tagged as "prod" + prod-branch: 'main' + # (Optional) Please indicate if this should be calculated for ASPN scoring entering true + # If set to true, the default branch will be tagged as prod and all other branches will be tagged as dev + prod-scan: 'true' + # (Optional) Enter any option command flags for debugging the scan or obtaining additional details + # Example: '--verbose --max-target-bytes=500000' + semgrep-flags: '' + # (Optional) Enter the max number of high serverity findings to tolerate before failing a PR + max-high-severity: '' + # (Optional) Enter the max number of medium severity findings to tolerate before failing a PR + max-medium-severity: '' + # (Optional) If you would like to tag your project with something other than the IAPM ID + # You can enter them here separated by a comma + other-tags: '' + secrets: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} From 5f5367877c8516e744420f1cdbbaae2b915407e0 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Mon, 15 Sep 2025 09:47:28 +0800 Subject: [PATCH 02/20] Rename main.yml to semgrep.yml --- .github/workflows/{main.yml => semgrep.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{main.yml => semgrep.yml} (100%) diff --git a/.github/workflows/main.yml b/.github/workflows/semgrep.yml similarity index 100% rename from .github/workflows/main.yml rename to .github/workflows/semgrep.yml From 5e80473b047ca683f82dbbcb69f10b87a6d7a726 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 13:47:18 +0800 Subject: [PATCH 03/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c9674485..5ad15a2f 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,7 +31,7 @@ on: jobs: Call-Workflow: - uses: intel-innersource/frameworks.actions.semgrep-static-code-scan/.github/workflows/semgrep.yml@main + uses: .github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From 95dfe9a9a096f99f4842e9ac81e99d03c084218a Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 13:48:16 +0800 Subject: [PATCH 04/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 5ad15a2f..f6470d43 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,7 +31,7 @@ on: jobs: Call-Workflow: - uses: .github/workflows/semgrep.yml@main + uses: ./.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From a999724663cecf8e28034233f811ad4b291d1563 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 13:50:19 +0800 Subject: [PATCH 05/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f6470d43..2677719c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,7 +31,7 @@ on: jobs: Call-Workflow: - uses: ./.github/workflows/semgrep.yml@main + uses: kangkaihui/xFasterTransformer.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From 12bac0838b9bf97ffbd5fc3422b7bef6ab12157d Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 13:51:03 +0800 Subject: [PATCH 06/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 2677719c..1509d45d 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,7 +31,7 @@ on: jobs: Call-Workflow: - uses: kangkaihui/xFasterTransformer.github/workflows/semgrep.yml@main + uses: kangkaihui/xFasterTransformer/.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From 43e32c0e73f175f26eb77b445f273681fe1673e5 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:09:20 +0800 Subject: [PATCH 07/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1509d45d..8f7be741 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,7 +31,7 @@ on: jobs: Call-Workflow: - uses: kangkaihui/xFasterTransformer/.github/workflows/semgrep.yml@main + uses: intel/xFasterTransformer/.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From 377e77e741073e78a77041f3d1e5b96a1da3de60 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:11:56 +0800 Subject: [PATCH 08/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8f7be741..1509d45d 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,7 +31,7 @@ on: jobs: Call-Workflow: - uses: intel/xFasterTransformer/.github/workflows/semgrep.yml@main + uses: kangkaihui/xFasterTransformer/.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From 6e6c15a2c1f983873f8ebbca23290334a8252531 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:25:30 +0800 Subject: [PATCH 09/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1509d45d..5c70d4cd 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,6 +12,7 @@ name: Semgrep SAST on: + workflow_call: # Scan changed files in PRs (diff-aware scanning): pull_request: {} From 23e939c58a244383350d9ed50355d48badff478a Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:27:53 +0800 Subject: [PATCH 10/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 5c70d4cd..18698499 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -32,7 +32,7 @@ on: jobs: Call-Workflow: - uses: kangkaihui/xFasterTransformer/.github/workflows/semgrep.yml@main + uses: with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From f9ae99c059f6cd61f44e428a8c573eabc45682bb Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:28:51 +0800 Subject: [PATCH 11/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 18698499..0f4c708c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -32,7 +32,7 @@ on: jobs: Call-Workflow: - uses: + uses: intel-innersource/frameworks.actions.semgrep-static-code-scan/.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From 5619a39d39879a3b28239bb2599a39f19d13f0e4 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:30:00 +0800 Subject: [PATCH 12/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 0f4c708c..88f1142d 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -32,7 +32,7 @@ on: jobs: Call-Workflow: - uses: intel-innersource/frameworks.actions.semgrep-static-code-scan/.github/workflows/semgrep.yml@main + uses: intel/xFasterTransformer/actions/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From b6c3a876970b3988464107d061dc42cd56dc86e7 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:30:53 +0800 Subject: [PATCH 13/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 88f1142d..a76e948e 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -32,7 +32,7 @@ on: jobs: Call-Workflow: - uses: intel/xFasterTransformer/actions/workflows/semgrep.yml@main + uses: intel/xFasterTransformer/.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' From c4d315ee14718a4672abfc2ed4af399c8e6ab096 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:31:47 +0800 Subject: [PATCH 14/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index a76e948e..316c732e 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -32,11 +32,11 @@ on: jobs: Call-Workflow: - uses: intel/xFasterTransformer/.github/workflows/semgrep.yml@main + uses: kangkaihui/xFasterTransformer/.github/workflows/semgrep.yml@main with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' - runner-group: 'innersource.prod.amr.dind' + runner-group: '' # (Optional) Please insert the IAPM ID of the application here # If you have more than 1 IAPM ID, please separate them with a comma # If at least 1 ID has not been entered the auto-tagging feature will not work From 84d0cebb8015e51491dbca60c8aaa6aa716b382b Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:32:13 +0800 Subject: [PATCH 15/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 316c732e..e537341f 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,7 +12,6 @@ name: Semgrep SAST on: - workflow_call: # Scan changed files in PRs (diff-aware scanning): pull_request: {} From 9fe8ba4be942d590a59743517fa0057260fb32de Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:35:39 +0800 Subject: [PATCH 16/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index e537341f..316c732e 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,6 +12,7 @@ name: Semgrep SAST on: + workflow_call: # Scan changed files in PRs (diff-aware scanning): pull_request: {} From 789f5f8b1f8d9ad5924fe01c99667ae06a6c76f6 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:39:06 +0800 Subject: [PATCH 17/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 316c732e..6ae7070b 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -40,7 +40,7 @@ jobs: # (Optional) Please insert the IAPM ID of the application here # If you have more than 1 IAPM ID, please separate them with a comma # If at least 1 ID has not been entered the auto-tagging feature will not work - iapm-ids: '40825' + iapm-ids: '' # (Optional) Please insert the branch that should be tagged as "prod" prod-branch: 'main' # (Optional) Please indicate if this should be calculated for ASPN scoring entering true From cb837dc4a9fd6ddd0aaa31dc2eff55fa4c71c1f8 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:41:47 +0800 Subject: [PATCH 18/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 6ae7070b..db692e0b 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,7 +12,6 @@ name: Semgrep SAST on: - workflow_call: # Scan changed files in PRs (diff-aware scanning): pull_request: {} @@ -40,12 +39,12 @@ jobs: # (Optional) Please insert the IAPM ID of the application here # If you have more than 1 IAPM ID, please separate them with a comma # If at least 1 ID has not been entered the auto-tagging feature will not work - iapm-ids: '' + iapm-ids: '40825' # (Optional) Please insert the branch that should be tagged as "prod" prod-branch: 'main' # (Optional) Please indicate if this should be calculated for ASPN scoring entering true # If set to true, the default branch will be tagged as prod and all other branches will be tagged as dev - prod-scan: 'true' + prod-scan: '' # (Optional) Enter any option command flags for debugging the scan or obtaining additional details # Example: '--verbose --max-target-bytes=500000' semgrep-flags: '' From 6b75327d2eafee0b9a088235ea8129d94d2f37e0 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:53:50 +0800 Subject: [PATCH 19/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index db692e0b..c17f1194 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -10,7 +10,6 @@ # Name of this GitHub Actions workflow. name: Semgrep SAST - on: # Scan changed files in PRs (diff-aware scanning): pull_request: {} @@ -35,7 +34,7 @@ jobs: with: # (Required) Please insert the runner group for your project # Example: runner-group: 'innersource.prod.amr.dind' - runner-group: '' + runner-group: 'innersource.prod.amr.dind' # (Optional) Please insert the IAPM ID of the application here # If you have more than 1 IAPM ID, please separate them with a comma # If at least 1 ID has not been entered the auto-tagging feature will not work @@ -44,7 +43,7 @@ jobs: prod-branch: 'main' # (Optional) Please indicate if this should be calculated for ASPN scoring entering true # If set to true, the default branch will be tagged as prod and all other branches will be tagged as dev - prod-scan: '' + prod-scan: 'true' # (Optional) Enter any option command flags for debugging the scan or obtaining additional details # Example: '--verbose --max-target-bytes=500000' semgrep-flags: '' From de6a98616ed64784a7599b1f484d60190ad0e930 Mon Sep 17 00:00:00 2001 From: kangkaihui Date: Tue, 16 Sep 2025 14:56:17 +0800 Subject: [PATCH 20/20] Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c17f1194..5f9ef5de 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -38,7 +38,7 @@ jobs: # (Optional) Please insert the IAPM ID of the application here # If you have more than 1 IAPM ID, please separate them with a comma # If at least 1 ID has not been entered the auto-tagging feature will not work - iapm-ids: '40825' + iapm-ids: '' # (Optional) Please insert the branch that should be tagged as "prod" prod-branch: 'main' # (Optional) Please indicate if this should be calculated for ASPN scoring entering true