Add semgrep

This adds semgrep to the project and fixes the initial problems found.
hlascelles · Sep 21, 2023 · 3ff4cba · 3ff4cba
1 parent bb7d092
commit 3ff4cba
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@a9fb7d923c0e2516dbb608ac87d9c3cdd12e236d # v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@b0c570ef831ff590914bc634a504523f320c265b # v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,6 +69,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@8ab72a0f4710f64c7212160969f7ea05f111a31d # v2
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/reviewdog.yaml b/.github/workflows/reviewdog.yaml
@@ -6,7 +6,7 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v1
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@d01c52ad8bb5e96ea744946c5283be6a168feece # v1.540.0
         with:
           ruby-version: 3.0.0
       - run: bundle check || bundle install
@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: shellcheck
-        uses: reviewdog/action-shellcheck@v1
+        uses: reviewdog/action-shellcheck@f7921e489694b9d1fc5c3a843b414a95141fc380 # v1.19.0
         with:
           github_token: ${{ secrets.github_token }}
           reporter: github-pr-review # Change reporter.

diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
@@ -0,0 +1,14 @@
+name: Semgrep
+on: [pull_request]
+
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci
diff --git a/.github/workflows/specs.yaml b/.github/workflows/specs.yaml
@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Check out code.
         uses: actions/checkout@v1
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@d01c52ad8bb5e96ea744946c5283be6a168feece # v1.540.0
         with:
           ruby-version: ${{ matrix.ruby }}
       - run: bundle check || bundle install