Skip to content

Commit 6cda1f0

Browse files
authored
Merge pull request #1 from gemini/add-readme-and-semgrep
APPSEC-553: Add README, Semgrep OSS, and scan for secrets workflows
2 parents 0dd9703 + bb9b015 commit 6cda1f0

3 files changed

Lines changed: 122 additions & 0 deletions

File tree

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: Scan for Secrets
2+
3+
on:
4+
pull_request: {}
5+
merge_group:
6+
types: [checks_requested]
7+
workflow_dispatch: {}
8+
9+
jobs:
10+
scan_for_secrets:
11+
name: public
12+
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
15+
# Skip Dependabot PRs and auto-pass in merge queue (base branch already scanned)
16+
if: |
17+
github.actor != 'dependabot[bot]' &&
18+
github.actor != 'github-actions[bot]'
19+
steps:
20+
- name: Establish event metadata
21+
id: establish_metadata
22+
shell: bash
23+
env:
24+
EVENT_NAME: ${{ github.event_name }}
25+
PR_COMMITS: ${{ github.event.pull_request.commits }}
26+
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
27+
run: |
28+
if [[ "$EVENT_NAME" == "pull_request" ]]; then
29+
echo "fetch_depth=$(($PR_COMMITS + 2))" >> $GITHUB_OUTPUT
30+
echo "branch=$PR_HEAD_REF" >> $GITHUB_OUTPUT
31+
fi
32+
33+
- name: Auto-pass in merge queue
34+
if: github.event_name == 'merge_group'
35+
run: echo 'Auto-passing in merge queue'
36+
37+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
38+
if: github.event_name == 'pull_request'
39+
with:
40+
ref: ${{ steps.establish_metadata.outputs.branch }}
41+
fetch-depth: ${{ steps.establish_metadata.outputs.fetch_depth }}
42+
43+
- name: Scan for secrets
44+
if: github.event_name == 'pull_request'
45+
uses: trufflesecurity/trufflehog@939f053fc5cc13136efeb9e4d505051455d135dd
46+
with:
47+
extra_args: --only-verified

.github/workflows/semgrep.yml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
name: Semgrep OSS
2+
3+
on:
4+
pull_request: {}
5+
workflow_dispatch: {}
6+
merge_group:
7+
types: [checks_requested]
8+
schedule:
9+
# Full scan of main every Monday at 06:17 UTC.
10+
# Randomized time to avoid GHA load spikes.
11+
- cron: '17 6 * * 1'
12+
13+
jobs:
14+
semgrep:
15+
name: public
16+
runs-on: ubuntu-latest
17+
container:
18+
image: semgrep/semgrep:1.161.0@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48
19+
permissions:
20+
contents: read
21+
security-events: write # Required for SARIF upload to GitHub Code Scanning
22+
actions: read
23+
# Skip Dependabot PRs and merge group events (diff scan not useful pre-merge)
24+
if: |
25+
github.actor != 'dependabot[bot]' &&
26+
github.actor != 'github-actions[bot]' &&
27+
github.event_name != 'merge_group'
28+
steps:
29+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
30+
31+
- name: Run Semgrep OSS (diff-aware)
32+
# PR scan: diff-aware via semgrep ci, only surfaces new findings against the merge base.
33+
# No SEMGREP_APP_TOKEN = fully local mode; no data leaves the runner.
34+
if: github.event_name == 'pull_request'
35+
run: semgrep ci --sarif --output=semgrep.sarif --config=auto
36+
continue-on-error: true
37+
38+
- name: Run Semgrep OSS (full scan)
39+
# Scheduled/manual scan: full repo scan via semgrep scan.
40+
if: github.event_name != 'pull_request'
41+
run: semgrep scan --sarif --output=semgrep.sarif --config=auto
42+
continue-on-error: true
43+
44+
- name: Upload findings to GitHub Code Scanning
45+
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
46+
with:
47+
sarif_file: semgrep.sarif
48+
category: semgrep-oss

README.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# security-workflows-public
2+
3+
Public AppSec tooling from Gemini's security engineering team, adapted for use in open source projects.
4+
5+
## What's Here
6+
7+
This repository contains security workflows, scanners, and automation tools for securing Gemini's open source projects.
8+
9+
## Workflows
10+
11+
### Semgrep OSS
12+
[`.github/workflows/semgrep.yml`](.github/workflows/semgrep.yml)
13+
14+
Runs [Semgrep](https://semgrep.dev) static analysis on pull requests and on a weekly schedule. Uses community rulesets (`p/default`, `p/security-audit`, `p/owasp-top-ten`) with no Semgrep account or token required. Findings are uploaded to GitHub Code Scanning.
15+
16+
### Scan for Secrets
17+
[`.github/workflows/scan-for-secrets.yml`](.github/workflows/scan-for-secrets.yml)
18+
19+
Scans pull requests for verified secrets using [TruffleHog](https://github.com/trufflesecurity/trufflehog). Only reports verified findings to minimize noise. No token or license required.
20+
21+
## Contributing
22+
23+
This repository is maintained by Gemini's AppSec team. External contributions and feedback are welcome via GitHub Issues.
24+
25+
## License
26+
27+
See [LICENSE](LICENSE) for details.

0 commit comments

Comments
 (0)