-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add semgrep security issues scanning #961
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the provided QA run the Run semgrep ci --sarif --output=semgrep.sarif || true
step has this output:
Scanning 1 file tracked by git with 54 Code rules:
Nothing to scan.
Current version has 0 findings.
It seems there's smth wrong with the workflow setup because nothing was scanned. Pls refactor accordingly and make sure semgrep
is run against https://github.com/ubiquity/ubiquity-dollar/tree/development/packages/contracts/src/dollar.
I've pushed a fix that should fix that and scan only files in the QA Run: https://github.com/cohow/ubiquity-dollar/actions/runs/10903661456/job/30259764076#step:5:18 side note: i could not get |
Ok i'm not sure how I missed that but I managed to make it run with push QA: https://github.com/cohow/ubiquity-dollar/actions/runs/10904764860/job/30261986841#step:5:19 PR scan uses diff-aware scanning to limit the scan to files changed since baseline commit. |
@rndquu 🙂 |
To sum up there are 2 semgep security related findings. First (deprecated contract, added it to
Second (added the
@cohow Could you merge obeys#2 ? |
Ci/semgrep
Merged. |
Resolves #949
QA: obeys#1
semgrep run: https://github.com/cohow/ubiquity-dollar/actions/runs/10865401897/job/30151817077?pr=1