Skip to content

Add Semgrep SAST to CI + pre-commit#37

Merged
leesaenz merged 2 commits into
mainfrom
chore/semgrep-sast
Jun 1, 2026
Merged

Add Semgrep SAST to CI + pre-commit#37
leesaenz merged 2 commits into
mainfrom
chore/semgrep-sast

Conversation

@leesaenz

@leesaenz leesaenz commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Adds a Semgrep static-analysis gate complementing the existing CodeQL setup.

What

  • CI: new "Semgrep (SAST)" job in security-scan.yml, run via uv run --with semgrep (no token), --error so it blocks on findings.
  • Local: matching pre-commit hook (same rulesets), scans src/ when a source file changes.
  • Rulesets: p/python + p/security-audit + p/command-injection (setup-reaper is subprocess-heavy) — 201 rules over src/.

Baseline finding resolved

The one finding (dynamic-urllib-use-detected in cli/update.py) is genuinely addressed: _fetch_json now pins the scheme to https:// so a file:// URL can never reach urlopen,
with a justified # nosemgrep on the verified-safe call (all callers pass hardcoded GitHub API constants).

Verification

Clean scan (0 findings, exit 0) locally; the pre-commit hook ran and passed on this branch's commit. The Semgrep (SAST) job runs on this PR.

leesaenz and others added 2 commits June 1, 2026 16:39
Adds a Semgrep static-analysis gate complementing CodeQL, running the
p/python, p/security-audit, and p/command-injection rulesets over src/:
- New "Semgrep (SAST)" job in security-scan.yml (via uv run --with, no token).
- Matching local pre-commit hook so findings surface before commit.

Resolves the one baseline finding: _fetch_json now pins the scheme to https
(so a file:// URL can never reach urlopen) with a justified nosemgrep on the
verified-safe call.
@leesaenz leesaenz merged commit d81d752 into main Jun 1, 2026
12 checks passed
@leesaenz leesaenz deleted the chore/semgrep-sast branch June 1, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant