Skip to content

Commit 548d273

Browse files
Prekzursilcodex
Prekzursil
and
codex
committed
Repair Semgrep Zero workflow
Co-authored-by: Codex <noreply@openai.com>
1 parent fb88570 commit 548d273

1 file changed

Lines changed: 45 additions & 22 deletions

File tree

.github/workflows/semgrep-zero.yml

Lines changed: 45 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -29,60 +29,83 @@ jobs:
2929
- name: Install Semgrep
3030
run: python -m pip install --upgrade pip semgrep
3131
- name: Select Semgrep rules
32-
id: rules
3332
shell: bash
3433
run: |
3534
set -euo pipefail
36-
configs=(
37-
p/default
38-
p/secrets
39-
p/github-actions
40-
)
35+
mkdir -p .tmp
36+
cat > .tmp/semgrep-configs.txt <<'CONFIGS'
37+
p/default
38+
p/secrets
39+
p/github-actions
40+
CONFIGS
4141
if find . -type f \( -name '*.py' -o -name 'pyproject.toml' \) -print -quit | grep -q .; then
42-
configs+=(p/python)
42+
echo p/python >> .tmp/semgrep-configs.txt
4343
fi
4444
if find . -type f \( -name '*.js' -o -name '*.jsx' -o -name '*.ts' -o -name '*.tsx' -o -name 'package.json' \) -print -quit | grep -q .; then
45-
configs+=(p/javascript)
45+
echo p/javascript >> .tmp/semgrep-configs.txt
4646
fi
4747
if find . -type f \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.h' -o -name '*.hpp' \) -print -quit | grep -q .; then
48-
configs+=(p/cpp)
48+
echo p/cpp >> .tmp/semgrep-configs.txt
4949
fi
5050
if find . -type f \( -name '*.cs' -o -name '*.csproj' -o -name '*.sln' \) -print -quit | grep -q .; then
51-
configs+=(p/csharp)
51+
echo p/csharp >> .tmp/semgrep-configs.txt
5252
fi
53-
{
54-
echo 'configs<<EOF'
55-
printf '%s
56-
' "${configs[@]}"
57-
echo 'EOF'
58-
} >> "$GITHUB_OUTPUT"
5953
- name: Run Semgrep JSON gate
6054
shell: bash
6155
run: |
6256
set -euo pipefail
6357
mkdir -p semgrep-zero
64-
mapfile -t configs < <(printf '%s
65-
' "${{ steps.rules.outputs.configs }}")
58+
mapfile -t configs < .tmp/semgrep-configs.txt
6659
args=()
6760
for cfg in "${configs[@]}"; do
6861
[ -n "$cfg" ] || continue
6962
args+=(--config "$cfg")
7063
done
71-
python -m semgrep scan --error --metrics=off --json --output semgrep-zero/semgrep.json --exclude .git --exclude .venv --exclude venv --exclude node_modules --exclude dist --exclude build --exclude coverage --exclude coverage-100 --exclude third_party --exclude vendor "${args[@]}" "${SEMGREP_SRC_ROOT}"
64+
python -m semgrep scan \
65+
--error \
66+
--metrics=off \
67+
--json \
68+
--output semgrep-zero/semgrep.json \
69+
--exclude .git \
70+
--exclude .venv \
71+
--exclude venv \
72+
--exclude node_modules \
73+
--exclude dist \
74+
--exclude build \
75+
--exclude coverage \
76+
--exclude coverage-100 \
77+
--exclude third_party \
78+
--exclude vendor \
79+
"${args[@]}" \
80+
"${SEMGREP_SRC_ROOT}"
7281
- name: Render SARIF artifact
7382
if: always()
7483
shell: bash
7584
run: |
7685
set -euo pipefail
7786
mkdir -p semgrep-zero
78-
mapfile -t configs < <(printf '%s
79-
' "${{ steps.rules.outputs.configs }}")
87+
mapfile -t configs < .tmp/semgrep-configs.txt
8088
args=()
8189
for cfg in "${configs[@]}"; do
8290
[ -n "$cfg" ] || continue
8391
args+=(--config "$cfg")
8492
done
85-
python -m semgrep scan --metrics=off --sarif --output semgrep-zero/semgrep.sarif --exclude .git --exclude .venv --exclude venv --exclude node_modules --exclude dist --exclude build --exclude coverage --exclude coverage-100 --exclude third_party --exclude vendor "${args[@]}" "${SEMGREP_SRC_ROOT}"
93+
python -m semgrep scan \
94+
--metrics=off \
95+
--sarif \
96+
--output semgrep-zero/semgrep.sarif \
97+
--exclude .git \
98+
--exclude .venv \
99+
--exclude venv \
100+
--exclude node_modules \
101+
--exclude dist \
102+
--exclude build \
103+
--exclude coverage \
104+
--exclude coverage-100 \
105+
--exclude third_party \
106+
--exclude vendor \
107+
"${args[@]}" \
108+
"${SEMGREP_SRC_ROOT}"
86109
- name: Upload Semgrep artifacts
87110
if: always()
88111
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02

0 commit comments

Comments
 (0)