Skip to content

feat: implement comprehensive SAST pipeline with security vulnerabilities#31

Merged
andoniaf merged 1 commit intounicrons:mainfrom
EduardoSimon:sast-step
Sep 10, 2025
Merged

feat: implement comprehensive SAST pipeline with security vulnerabilities#31
andoniaf merged 1 commit intounicrons:mainfrom
EduardoSimon:sast-step

Conversation

@EduardoSimon
Copy link
Collaborator

@EduardoSimon EduardoSimon commented Sep 7, 2025

🔒 SAST Code Scan Step Implementation

Implements comprehensive SAST pipeline with CodeQL and Semgrep Community Edition to detect security vulnerabilities in JavaScript applications.

CodeQL provides GitHub's official security analysis with deep semantic queries, while Semgrep offers fast pattern-based detection using community security rules. Both tools fail the pipeline when vulnerabilities are detected and upload SARIF results to GitHub Security tab with PR-specific finding links.

🚨 Added 5 intentional vulnerabilities to simple-app.js for demonstration:

  • Hardcoded AWS credentials
  • SQL injection in user lookup
  • XSS in greeting functionality
  • Command injection in ping endpoint
  • Path traversal in file access

🛠️ Tools Implemented

CodeQL provides GitHub's official security analysis with deep semantic queries, while Semgrep offers fast pattern-based detection using community security rules.

✨ Key Features

  • Security gate pattern - Pipeline fails when vulnerabilities detected
  • GitHub Security tab integration - SARIF upload for unified reporting
  • PR-specific finding links - Direct navigation to security findings
  • Open source tools - No licensing requirements
  • Native GitHub Actions support - Official actions with no complex setup

Uses open source tools with native GitHub Actions support, requiring no licensing or complex setup for workshop environments.

@EduardoSimon EduardoSimon self-assigned this Sep 7, 2025
andoniaf
andoniaf reviewed Sep 7, 2025
View reviewed changes
andoniaf
andoniaf reviewed Sep 7, 2025
View reviewed changes
andoniaf
andoniaf reviewed Sep 7, 2025
View reviewed changes
@EduardoSimon EduardoSimon force-pushed the sast-step branch 4 times, most recently from 78d3941 to 929173c Compare September 8, 2025 06:14
@EduardoSimon
Copy link
Collaborator Author

EduardoSimon commented Sep 8, 2025

Hey @andoniaf, I've just updated the base branch, could you review it again?

  • I've modified the CodeQL action to properly check if the step has caught any issues and thus fail.
  • I've also reduced the demo vulnerabilities in the js app to just have one.

@EduardoSimon
feat: code-scan step with example vulnerabilities
d97372a 
Implements comprehensive SAST pipeline with CodeQL and Semgrep Community Edition
to detect security vulnerabilities in JavaScript applications.

CodeQL provides GitHub's official security analysis with deep semantic queries,
while Semgrep offers fast pattern-based detection using community security rules.
Both tools fail the pipeline when vulnerabilities are detected and upload SARIF
results to GitHub Security tab with PR-specific finding links.

Added 5 intentional vulnerabilities to simple-app.js for demonstration:
- Hardcoded AWS credentials
- SQL injection in user lookup
- XSS in greeting functionality
- Command injection in ping endpoint
- Path traversal in file access

Uses open source tools with native GitHub Actions support, requiring no
licensing or complex setup for workshop environments.
@andoniaf andoniaf merged commit 86031db into unicrons:main Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andoniaf andoniaf andoniaf approved these changes

@sanchezpaco sanchezpaco Awaiting requested review from sanchezpaco

Assignees

@EduardoSimon EduardoSimon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EduardoSimon @andoniaf