Add security workflows

[maxammann]

No description provided.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[graphite-app]

Invalid syntax: shell: bash cannot be used with uses: steps in composite actions. The shell property is only valid for run: steps. This will cause the workflow to fail with a validation error.

Fix: Remove line 14 entirely:

- name: "Run scorecard"
  uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
  with:
    results_file: results.sarif
    results_format: sarif
    publish_results: false
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Suggested change

	- name: "Run scorecard"
	uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: false
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	shell: bash
	- name: "Run scorecard"
	uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: false
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Passing gh_token to semgrep-action but the action doesn't declare any inputs. Looking at .github/actions/semgrep-action/action.yml, there is no inputs: section defined, so this parameter will be ignored or cause an error. Either remove the with: block or add the input definition to the semgrep-action.

Suggested change

	- uses: KittyCAD/gha-workflows/.github/actions/semgrep-action@security
	with:
	gh_token: ${{ secrets.GITHUB_TOKEN }}
	- uses: KittyCAD/gha-workflows/.github/actions/semgrep-action@security

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Wrong step reference - uses steps.zizmor.outputs.results_file_path but the step ID is semgrep (line 54). This will result in an empty/undefined path being passed to DefectDojo.

report_path: ${{ steps.semgrep.outputs.results_file_path }}

Suggested change

	report_path: ${{ steps.zizmor.outputs.results_file_path }}
	report_path: ${{ steps.semgrep.outputs.results_file_path }}

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Critical bug: github.event.pull_request.base.sha will be undefined/empty when this action is called from security-default-branch.yml (triggered on push to main, not PRs). This will cause the semgrep scan to fail or use an invalid baseline commit.

Impact: The semgrep job in the default branch workflow will fail or produce incorrect results.

Fix: Make the baseline commit conditional or use a parameter:

--baseline-commit=${{ github.event.pull_request.base.sha || github.event.before }} \

Or add an input parameter to control baseline behavior:

inputs:
  baseline_commit:
    description: 'Baseline commit for comparison'
    required: false
    default: ''

Then use:

${{ inputs.baseline_commit != '' && format('--baseline-commit={0}', inputs.baseline_commit) || '' }}

Suggested change

	--baseline-commit=${{ github.event.pull_request.base.sha }} \
	--baseline-commit=${{ github.event.pull_request.base.sha || github.event.before }} \

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.