Skip to content

Commit

Permalink
Merge pull request #5 from catawiki/security-scan
Browse files Browse the repository at this point in the history
Fixed Semgrep detection issue
  • Loading branch information
ArisBee authored Sep 24, 2024
2 parents d5227ea + 7fce03e commit cfd2a96
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 39 deletions.
19 changes: 1 addition & 18 deletions .github/workflows/detect-secrets.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ name: Detect Secrets Scan
on:
workflow_dispatch:
pull_request:
env:
exclude: ''

permissions:
contents: read
Expand All @@ -23,22 +21,7 @@ jobs:
run: chown root:root .
- name: Install detect-secrets
run: pip install detect-secrets
- name: Set --exclude-files arguments
if: ${{ env.exclude }} != ''
shell: bash
run: |
# Use a loop to parse the values in the exclude input and build the desired string
exclude_args=""
IFS=' ' read -a arr <<< $exclude
for ex in "${arr[@]}"
do
exclude_args="${exclude_args} --exclude-files '${ex}'"
done
echo "exclude_args=${exclude_args}" >> $GITHUB_ENV
- name: Run detect-secrets-hook
shell: bash
run: |
detect-secrets-hook --baseline .secrets.baseline ${{ env.exclude_args }} * --json > /tmp/secrets.json
- name: Show detect-secrets differences
if: ${{ failure() }}
run: git diff
git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline *
7 changes: 3 additions & 4 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
workflow_dispatch:
pull_request:
env:
configs: "p/ci p/security-audit p/owasp-top-ten"
configs: "rules/ p/ci p/security-audit p/owasp-top-ten"

permissions:
contents: read
Expand Down Expand Up @@ -35,8 +35,7 @@ jobs:
SEMGREP_SEND_METRICS: off
shell: bash
run: |
set +o pipefail
semgrep scan . --gitlab-sast -o /tmp/semgrep.json
semgrep scan . --error --gitlab-sast -o /tmp/semgrep.json
- name: Show Semgrep report
if: success() || failure()
run: cat /tmp/semgrep.json
run: cat /tmp/semgrep.json
30 changes: 16 additions & 14 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,22 +1,24 @@
repos:
- repo: https://github.com/semgrep/semgrep
rev: "v1.86.0"
rev: '768d0f4c3ccb4b1740eef22bbbd57fc936450df2' # frozen: v1.84.1
hooks:
- id: semgrep
args:
[
"--config",
"p/ci",
"--error",
"--skip-unknown-extensions",
"--metrics",
"off",
]
stages: [pre-push]
- --config
- rules/
- --error
- --skip-unknown-extensions
- --metrics
- 'off'
stages:
- pre-push
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
rev: '68e8b45440415753fff70a312ece8da92ba85b4a' # frozen: v1.5.0
hooks:
- id: detect-secrets
stages: [pre-commit]
args: ["--baseline", ".secrets.baseline"]
exclude: yarn.lock
args:
- --baseline
- .secrets.baseline
stages:
- pre-commit
exclude: package-lock.json
27 changes: 24 additions & 3 deletions .secrets.baseline
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "1.4.0",
"version": "1.5.0",
"plugins_used": [
{
"name": "ArtifactoryDetector"
Expand Down Expand Up @@ -75,6 +75,10 @@
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".secrets.baseline"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
Expand Down Expand Up @@ -107,6 +111,23 @@
"path": "detect_secrets.filters.heuristic.is_templated_secret"
}
],
"results": {},
"generated_at": "2024-09-11T10:26:17Z"
"results": {
".pre-commit-config.yaml": [
{
"type": "Hex High Entropy String",
"filename": ".pre-commit-config.yaml",
"hashed_secret": "23414c22063b86dd91d7570689f2da10d72ec4f8",
"is_verified": false,
"line_number": 3
},
{
"type": "Hex High Entropy String",
"filename": ".pre-commit-config.yaml",
"hashed_secret": "86242b7a7b67c1fd83514757a6b319602d648e94",
"is_verified": false,
"line_number": 16
}
]
},
"generated_at": "2024-09-23T17:27:01Z"
}
10 changes: 10 additions & 0 deletions rules/dangerous_innerhtml.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rules:
- id: detect-dangerous-innerhtml
pattern: |
<$_ dangerouslySetInnerHTML={ { __html: $VAL } } />
message: "Usage of 'dangerouslySetInnerHTML' can lead to XSS vulnerabilities. Avoid using it unless absolutely necessary."
severity: ERROR
languages: [javascript, typescript]
metadata:
category: security
technology: react

0 comments on commit cfd2a96

Please sign in to comment.