DevSecOps test

Taofeeqib · Taofeeqib · commit ed929da65910 · 2025-09-07T11:31:55.000+02:00
diff --git a/.github/workflows/devsecops-pipeline.yml b/.github/workflows/devsecops-pipeline.yml
@@ -35,17 +35,41 @@ jobs:
       
       - name: Semgrep scan
         uses: semgrep/semgrep-action@v1
+        continue-on-error: true
         with:
           config: >-
             p/javascript
-            p/angular
-            p/nodejsscan
+            p/typescript
+            p/react
+            r/typescript.angular.security.audit.angular-allow-trusted-dynamic-script.angular-allow-trusted-dynamic-script
             ./xss/semgrep.yaml
             ./semgrep-custom-rules.yaml
           output: semgrep-results.sarif
+      
+      - name: Create empty SARIF file if it doesn't exist
+        run: |
+          if [ ! -f "semgrep-results.sarif" ]; then
+            echo '{
+              "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+              "version": "2.1.0",
+              "runs": [
+                {
+                  "tool": {
+                    "driver": {
+                      "name": "Semgrep",
+                      "version": "placeholder",
+                      "rules": []
+                    }
+                  },
+                  "results": []
+                }
+              ]
+            }' > semgrep-results.sarif
+            echo "Created empty SARIF file as semgrep scan failed"
+          fi
           
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: semgrep-results.sarif
@@ -81,7 +105,7 @@ jobs:
             --scan-config ./dependency-check-config.json
           
       - name: Upload SARIF files
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: './reports/'
diff --git a/semgrep-custom-rules.yaml b/semgrep-custom-rules.yaml
@@ -27,16 +27,17 @@ rules:
 
   # Node.js API Vulnerabilities
   - id: express-no-helmet
-    pattern: |
-      import $EXPRESS from 'express';
-      ...
-      const $APP = $EXPRESS();
-      ...
-    pattern-not: |
-      import $H from 'helmet';
-      ...
-      $APP.use($H());
-      ...
+    patterns:
+      - pattern: |
+          import $EXPRESS from 'express';
+          ...
+          const $APP = $EXPRESS();
+          ...
+      - pattern-not: |
+          import $H from 'helmet';
+          ...
+          $APP.use($H());
+          ...
     message: >
       Express application detected without Helmet middleware. Helmet helps secure
       Express apps by setting various HTTP headers. Consider adding
