Skip to content

Merge remote-tracking branch 'upstream/main' #2

Merge remote-tracking branch 'upstream/main'

Merge remote-tracking branch 'upstream/main' #2

Workflow file for this run

name: Semgrep Checks
on:
push:
branches:
- main
- 'release/**'
pull_request:
paths:
- internal/**
- .semgrep*yml
- .github/workflows/semgrep-ci.yml
## NOTE: !!!
## When changing these workflows, ensure that the following is updated:
## - Documentation: docs/continuous-integration.md
## - Documentation: docs/makefile-cheat-sheet.md
## - Makefile: ./GNUmakefile
env:
SEMGREP_SEND_METRICS: "off"
SEMGREP_ENABLE_VERSION_CHECK: false
SEMGREP_TIMEOUT: 300
SEMGREP_ARGS: --error --quiet
jobs:
semgrep-validate:
name: Validate Code Quality Rules
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: |
semgrep --validate \
--config .ci/.semgrep.yml \
--config .ci/.semgrep-constants.yml \
--config .ci/.semgrep-test-constants.yml \
--config .ci/semgrep/
semgrep-test:
name: Semgrep Rule Tests
needs: [semgrep-validate]
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: |
semgrep --quiet --test .ci/semgrep/
semgrep:
name: Code Quality Scan
needs: [semgrep-test]
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: |
semgrep $SEMGREP_ARGS \
--config .ci/.semgrep.yml \
--config .ci/.semgrep-constants.yml \
--config .ci/.semgrep-test-constants.yml \
--config .ci/semgrep/ \
--config 'r/dgryski.semgrep-go.badnilguard' \
--config 'r/dgryski.semgrep-go.errnilcheck' \
--config 'r/dgryski.semgrep-go.marshaljson' \
--config 'r/dgryski.semgrep-go.nilerr' \
--config 'r/dgryski.semgrep-go.oddifsequence' \
--config 'r/dgryski.semgrep-go.oserrors'
naming_cae:
name: Naming Scan Caps/AWS/EC2
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: semgrep --validate --config .ci/.semgrep-caps-aws-ec2.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-caps-aws-ec2.yml
naming_tests:
name: Test Configs Scan
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: semgrep --validate --config .ci/.semgrep-configs.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-configs.yml
naming_semgrep0:
name: Service Name Scan A-C
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: semgrep --validate --config .ci/.semgrep-service-name0.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name0.yml
naming_semgrep1:
name: Service Name Scan C-I
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: semgrep --validate --config .ci/.semgrep-service-name1.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name1.yml
naming_semgrep2:
name: Service Name Scan I-Q
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: semgrep --validate --config .ci/.semgrep-service-name2.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name2.yml
naming_semgrep3:
name: Service Name Scan Q-Z
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- run: semgrep --validate --config .ci/.semgrep-service-name3.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name3.yml