Run semgrep scan with community edition on every PR

[quekshuy]

Replace SonarCloud with Semgrep Security Scanning

This PR migrates the project's security scanning from SonarCloud to Semgrep Community Edition, providing comprehensive security analysis for React Native applications.

Changes Made

• Removed SonarCloud workflow (build_ts.yml) that was running SonarCloud scans on push/PR events
• Added Semgrep CE workflow (semgrep_scan.yml) with:
  • Automated scanning on push to master and PR events
  • SARIF output integration with GitHub Security tab
  • Dependabot exclusion to avoid permission issues
• Created comprehensive security rules (.semgrep_scan_rules.yml) covering:
  • JavaScript/TypeScript security patterns (hardcoded secrets, unsafe requires)
  • Android Java security rules (external storage, sensitive logging, file permissions)
  • iOS Objective-C security patterns (NSLog sensitive data, file manager usage)
  • Cross-platform vulnerabilities (command injection, weak crypto)
  • React Native specific security concerns (bridge exposure, WebView usage)
  • Build configuration security (HTTP repositories)

Benefits

• Free and open-source security scanning with Semgrep Community Edition
• React Native focused rules that understand mobile app security patterns
• Multi-language support for JavaScript, TypeScript, Java, Objective-C, and Gradle
• GitHub Security integration via SARIF upload for centralized vulnerability management
• Comprehensive coverage of common mobile security vulnerabilities

Testing

The workflow will run automatically on this PR to validate the Semgrep configuration and rules.

--

hee hee

[Copilot]

Pull Request Overview

This PR adds automated security scanning using Semgrep Community Edition to run on every pull request. The implementation includes custom security rules for React Native mobile development and integrates with GitHub Actions workflow.

• Introduces comprehensive Semgrep security rules covering JavaScript/TypeScript, Java Android, Objective-C iOS, and general cross-platform vulnerabilities
• Adds GitHub Actions workflow to automatically run Semgrep scans on PRs and master branch pushes
• Configures file inclusion/exclusion patterns to focus scanning on relevant source code files

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.semgrep_scan_rules.yml	Defines custom security rules for detecting hardcoded secrets, unsafe practices, and platform-specific vulnerabilities
.github/workflows/semgrep_scan.yml	GitHub Actions workflow configuration to run Semgrep scans automatically on PRs

Comments suppressed due to low confidence (1)

.github/workflows/semgrep_scan.yml:1

• The workflow name 'Build TS' is misleading as this workflow performs security scanning with Semgrep, not TypeScript building. Consider renaming to 'Semgrep Security Scan' or similar.

name: Build TS

[Copilot]

The language 'gradle' is not a valid Semgrep language identifier. Gradle files should use 'generic' or be handled through file patterns. Consider using 'generic' language or removing this rule if not supported.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.