@@ -34,19 +34,32 @@ jobs:
3434 env :
3535 GITLEAKS_VERSION : " 8.30.0"
3636 steps :
37- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
37+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
3838 with :
3939 fetch-depth : 0
4040 - name : Install gitleaks
4141 run : |
4242 curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz;
4343 sudo mv gitleaks /usr/local/bin/;
4444 gitleaks --version;
45- - name : Run gitleaks (full history)
45+ - name : Run gitleaks
4646 id : gitleaks
47+ env :
48+ # On pull_request, restrict the scan to commits the PR introduces so
49+ # it cannot fail on secrets that live only on other, unmerged branches.
50+ # On push/schedule/dispatch, scan the full history reachable from HEAD.
51+ PR_BASE_REF : ${{ github.base_ref }}
4752 run : |
4853 set +e
49- gitleaks git --config=.gitleaks.toml --baseline-path=.gitleaks-baseline.json --report-path=gitleaks-report_sarif.json --report-format=sarif .
54+ # checkout uses fetch-depth: 0, so the base branch is already present
55+ # as origin/<base_ref>; no extra fetch is needed.
56+ if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
57+ LOG_OPTS="origin/$PR_BASE_REF..HEAD"
58+ else
59+ LOG_OPTS="HEAD"
60+ fi
61+ echo "::notice::gitleaks scanning range: $LOG_OPTS"
62+ gitleaks git --config=.gitleaks.toml --baseline-path=.gitleaks-baseline.json --log-opts="$LOG_OPTS" --report-path=gitleaks-report_sarif.json --report-format=sarif .
5063 GITLEAKS_EXIT=$?
5164 set -e
5265 echo "exit_code=$GITLEAKS_EXIT" >> "$GITHUB_OUTPUT"
@@ -72,10 +85,10 @@ jobs:
7285 security-events : write
7386 runs-on : ubuntu-latest
7487 steps :
75- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
88+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
7689 - run : |
7790 echo "bandit[sarif]==1.9.3" > requirements.txt
78- - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2 .0
91+ - uses : actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3 .0
7992 with :
8093 python-version : ' 3.x'
8194 cache : ' pip'
@@ -111,7 +124,7 @@ jobs:
111124 security-events : write
112125 runs-on : ubuntu-latest
113126 steps :
114- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
127+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
115128 - run : |
116129 curl -sSfL https://raw.githubusercontent.com/anchore/grype/43e7e3246ed01b1ec0ff54f9b054201ccbe78e3a/install.sh | sh -s -- -b /usr/local/bin v0.104.3
117130 grype --version
@@ -145,10 +158,10 @@ jobs:
145158 security-events : write
146159 runs-on : ubuntu-latest
147160 steps :
148- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
161+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
149162 - run : |
150163 echo "checkov==3.2.500" > requirements.txt
151- - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2 .0
164+ - uses : actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3 .0
152165 with :
153166 python-version : ' 3.x'
154167 cache : ' pip'
@@ -186,12 +199,12 @@ jobs:
186199 security-events : write
187200 runs-on : ubuntu-latest
188201 steps :
189- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
202+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
190203 with :
191204 fetch-depth : 0 # Required for baseline comparison
192205 - run : |
193206 echo "semgrep==1.151.0" > requirements.txt
194- - uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2 .0
207+ - uses : actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3 .0
195208 with :
196209 python-version : ' 3.x'
197210 cache : ' pip'
@@ -209,33 +222,15 @@ jobs:
209222 BASELINE_ARGS="--baseline-commit $BASELINE_SHA"
210223 fi
211224
212- # Run semgrep, capture exit code
213- # Rule exclusions documented in .semgrep.yaml
225+ # Run semgrep against the vendored ruleset (RFC #211).
226+ # Exclusions are baked into tools/semgrep/rules-vendored.yaml
227+ # (source of truth: tools/semgrep/rules-status.toml), so no
228+ # --exclude-rule flags are needed. --config is explicit because
229+ # CI does not inherit mise's SEMGREP_RULES env.
214230 set +e
215- semgrep scan --oss-only --verbose --metrics=off --config=r/all \
231+ semgrep scan --oss-only --verbose --metrics=off \
232+ --config=tools/semgrep/rules-vendored.yaml \
216233 --max-log-list-entries=0 \
217- --exclude-rule="bbp-pattern-inject" \
218- --exclude-rule="ai.generic.detect-generic-ai-anthprop.detect-generic-ai-anthprop" \
219- --exclude-rule="generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key" \
220- --exclude-rule="apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers" \
221- --exclude-rule="apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls" \
222- --exclude-rule="apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor" \
223- --exclude-rule="apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements" \
224- --exclude-rule="apex.lang.security.ncino.encryption.badcrypto.bad-crypto" \
225- --exclude-rule="apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request" \
226- --exclude-rule="apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match" \
227- --exclude-rule="apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match" \
228- --exclude-rule="apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param" \
229- --exclude-rule="apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param" \
230- --exclude-rule="apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level" \
231- --exclude-rule="apex.lang.security.ncino.system.systemdebug.system-debug" \
232- --exclude-rule="elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator" \
233- --exclude-rule="elixir.lang.best-practice.deprecated-bxor-operator.deprecated_bxor_operator" \
234- --exclude-rule="elixir.lang.best-practice.deprecated-calendar-iso-day-of-week-3.deprecated_calendar_iso_day_of_week_3" \
235- --exclude-rule="elixir.lang.best-practice.deprecated-use-bitwise.deprecated_use_bitwise" \
236- --exclude-rule="elixir.lang.best-practice.enum-map-into.enum_map_into" \
237- --exclude-rule="elixir.lang.best-practice.enum-map-join.enum_map_join" \
238- --exclude-rule="elixir.lang.correctness.atom-exhaustion.atom_exhaustion" \
239234 --sarif-output semgrep-report_sarif.json $BASELINE_ARGS
240235 SEMGREP_EXIT=$?
241236 set -e
@@ -314,7 +309,7 @@ jobs:
314309 --health-timeout 5s
315310 --health-retries 10
316311 steps :
317- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
312+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
318313 - name : Wait for ClamAV service
319314 run : timeout 300 bash -c 'until echo > /dev/tcp/localhost/3310; do sleep 5; done' 2>/dev/null
320315 - run : |
@@ -359,7 +354,7 @@ jobs:
359354 # - if: always()
360355 # run: |
361356 # docker inspect $(docker ps -qf "ancestor=sonarqube:community@sha256:48dd0e946ad6481dde43bb31d1a7af09c22f59be6399b195dcce7b87d82c5f40") | jq '.[] | {"test": .Config.Healthcheck.Test, "state": .State.Health}'
362- - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 .0.2
357+ - uses : actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 .0.0
363358 with :
364359 fetch-depth : 0
365360 - name : Wait for SonarQube to be ready
0 commit comments