-
Notifications
You must be signed in to change notification settings - Fork 0
APPSEC-553: Add README, Semgrep OSS, and scan for secrets workflows #1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
4b0af5d
Add README and Semgrep OSS workflow
mantej dbb0662
Add Socket Security supply chain workflow
mantej d4fccc5
Fix Socket CLI env var name: SOCKET_SECURITY_API_KEY -> SOCKET_SECURI…
mantej ea0a557
Remove Socket Security workflow
mantej a2496d1
Rewrite scan-for-secrets to use TruffleHog, matching org standard
mantej d671d43
Rename job display names to 'public'
mantej a4ba75b
Fix script injection: use env vars instead of direct context interpol…
mantej f8c1b98
Update README with workflow descriptions
mantej 6680067
Semgrep: pin image digest, switch to semgrep scan with --config=auto,…
mantej ee402d3
Fix semgrep container image pin to correct 1.161.0 digest from Docker…
mantej 5814ba2
Remove redundant if: always() now that continue-on-error is set
mantej bb9b015
Split semgrep ci (PR diff-aware) vs semgrep scan (scheduled full scan)
mantej File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| name: Scan for Secrets | ||
|
|
||
| on: | ||
| pull_request: {} | ||
| merge_group: | ||
| types: [checks_requested] | ||
| workflow_dispatch: {} | ||
|
|
||
| jobs: | ||
| scan_for_secrets: | ||
| name: public | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| # Skip Dependabot PRs and auto-pass in merge queue (base branch already scanned) | ||
| if: | | ||
| github.actor != 'dependabot[bot]' && | ||
| github.actor != 'github-actions[bot]' | ||
| steps: | ||
| - name: Establish event metadata | ||
| id: establish_metadata | ||
| shell: bash | ||
| env: | ||
| EVENT_NAME: ${{ github.event_name }} | ||
| PR_COMMITS: ${{ github.event.pull_request.commits }} | ||
| PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} | ||
| run: | | ||
| if [[ "$EVENT_NAME" == "pull_request" ]]; then | ||
| echo "fetch_depth=$(($PR_COMMITS + 2))" >> $GITHUB_OUTPUT | ||
| echo "branch=$PR_HEAD_REF" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| - name: Auto-pass in merge queue | ||
| if: github.event_name == 'merge_group' | ||
| run: echo 'Auto-passing in merge queue' | ||
|
|
||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| if: github.event_name == 'pull_request' | ||
| with: | ||
| ref: ${{ steps.establish_metadata.outputs.branch }} | ||
| fetch-depth: ${{ steps.establish_metadata.outputs.fetch_depth }} | ||
|
|
||
| - name: Scan for secrets | ||
| if: github.event_name == 'pull_request' | ||
| uses: trufflesecurity/trufflehog@939f053fc5cc13136efeb9e4d505051455d135dd | ||
| with: | ||
| extra_args: --only-verified | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| name: Semgrep OSS | ||
|
|
||
| on: | ||
| pull_request: {} | ||
| workflow_dispatch: {} | ||
| merge_group: | ||
| types: [checks_requested] | ||
| schedule: | ||
| # Full scan of main every Monday at 06:17 UTC. | ||
|
mantej marked this conversation as resolved.
|
||
| # Randomized time to avoid GHA load spikes. | ||
| - cron: '17 6 * * 1' | ||
|
|
||
| jobs: | ||
| semgrep: | ||
| name: public | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: semgrep/semgrep:1.161.0@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48 | ||
| permissions: | ||
| contents: read | ||
| security-events: write # Required for SARIF upload to GitHub Code Scanning | ||
| actions: read | ||
| # Skip Dependabot PRs and merge group events (diff scan not useful pre-merge) | ||
| if: | | ||
| github.actor != 'dependabot[bot]' && | ||
| github.actor != 'github-actions[bot]' && | ||
| github.event_name != 'merge_group' | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - name: Run Semgrep OSS (diff-aware) | ||
| # PR scan: diff-aware via semgrep ci, only surfaces new findings against the merge base. | ||
| # No SEMGREP_APP_TOKEN = fully local mode; no data leaves the runner. | ||
| if: github.event_name == 'pull_request' | ||
| run: semgrep ci --sarif --output=semgrep.sarif --config=auto | ||
| continue-on-error: true | ||
|
|
||
| - name: Run Semgrep OSS (full scan) | ||
| # Scheduled/manual scan: full repo scan via semgrep scan. | ||
| if: github.event_name != 'pull_request' | ||
| run: semgrep scan --sarif --output=semgrep.sarif --config=auto | ||
| continue-on-error: true | ||
|
|
||
| - name: Upload findings to GitHub Code Scanning | ||
| uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 | ||
| with: | ||
| sarif_file: semgrep.sarif | ||
| category: semgrep-oss | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # security-workflows-public | ||
|
|
||
| Public AppSec tooling from Gemini's security engineering team, adapted for use in open source projects. | ||
|
|
||
| ## What's Here | ||
|
|
||
| This repository contains security workflows, scanners, and automation tools for securing Gemini's open source projects. | ||
|
|
||
| ## Workflows | ||
|
|
||
| ### Semgrep OSS | ||
| [`.github/workflows/semgrep.yml`](.github/workflows/semgrep.yml) | ||
|
|
||
| Runs [Semgrep](https://semgrep.dev) static analysis on pull requests and on a weekly schedule. Uses community rulesets (`p/default`, `p/security-audit`, `p/owasp-top-ten`) with no Semgrep account or token required. Findings are uploaded to GitHub Code Scanning. | ||
|
|
||
| ### Scan for Secrets | ||
| [`.github/workflows/scan-for-secrets.yml`](.github/workflows/scan-for-secrets.yml) | ||
|
|
||
| Scans pull requests for verified secrets using [TruffleHog](https://github.com/trufflesecurity/trufflehog). Only reports verified findings to minimize noise. No token or license required. | ||
|
|
||
| ## Contributing | ||
|
|
||
| This repository is maintained by Gemini's AppSec team. External contributions and feedback are welcome via GitHub Issues. | ||
|
|
||
| ## License | ||
|
|
||
| See [LICENSE](LICENSE) for details. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.