Add security workflows #6
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
| - uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 |
Check warning
Code scanning / zizmor
credential persistence through GitHub Actions artifacts
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
| - name: "Run scorecard" | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a | ||
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
| publish_results: false | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| shell: bash |
There was a problem hiding this comment.
Invalid syntax: shell: bash cannot be used with uses: steps in composite actions. The shell property is only valid for run: steps. This will cause the workflow to fail with a validation error.
Fix: Remove line 14 entirely:
- name: "Run scorecard"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
with:
results_file: results.sarif
results_format: sarif
publish_results: false
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}| - name: "Run scorecard" | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: false | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| shell: bash | |
| - name: "Run scorecard" | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: false | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
| - uses: KittyCAD/gha-workflows/.github/actions/semgrep-action@security | ||
| with: | ||
| gh_token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Passing gh_token to semgrep-action but the action doesn't declare any inputs. Looking at .github/actions/semgrep-action/action.yml, there is no inputs: section defined, so this parameter will be ignored or cause an error. Either remove the with: block or add the input definition to the semgrep-action.
| - uses: KittyCAD/gha-workflows/.github/actions/semgrep-action@security | |
| with: | |
| gh_token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: KittyCAD/gha-workflows/.github/actions/semgrep-action@security |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
| - uses: KittyCAD/gha-workflows/.github/actions/upload-defectdojo@security | ||
| with: | ||
| dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }} | ||
| report_path: ${{ steps.zizmor.outputs.results_file_path }} |
There was a problem hiding this comment.
Wrong step reference - uses steps.zizmor.outputs.results_file_path but the step ID is semgrep (line 54). This will result in an empty/undefined path being passed to DefectDojo.
report_path: ${{ steps.semgrep.outputs.results_file_path }}| report_path: ${{ steps.zizmor.outputs.results_file_path }} | |
| report_path: ${{ steps.semgrep.outputs.results_file_path }} |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
| --severity=WARNING \ | ||
| --severity=ERROR \ | ||
| --exclude="*.html" --exclude="*.js" \ | ||
| --baseline-commit=${{ github.event.pull_request.base.sha }} \ |
There was a problem hiding this comment.
Critical bug: github.event.pull_request.base.sha will be undefined/empty when this action is called from security-default-branch.yml (triggered on push to main, not PRs). This will cause the semgrep scan to fail or use an invalid baseline commit.
Impact: The semgrep job in the default branch workflow will fail or produce incorrect results.
Fix: Make the baseline commit conditional or use a parameter:
--baseline-commit=${{ github.event.pull_request.base.sha || github.event.before }} \Or add an input parameter to control baseline behavior:
inputs:
baseline_commit:
description: 'Baseline commit for comparison'
required: false
default: ''Then use:
${{ inputs.baseline_commit != '' && format('--baseline-commit={0}', inputs.baseline_commit) || '' }}| --baseline-commit=${{ github.event.pull_request.base.sha }} \ | |
| --baseline-commit=${{ github.event.pull_request.base.sha || github.event.before }} \ |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
No description provided.