Semgr8s v0.1.8 release

[xopham]

• ci: update to latest k8s versioning
• docs: adjust demo and update docs
• refactor: proper naming for tls key
• refactor: use k8s native name for replicaCount
• feat: switch to production ready cheroot server
• feat: ignore k8s Event resource
• update: bump semgr8s version
• update: bump the pip-packages group with 3 updates (update: bump the pip-packages group with 3 updates #154)
• update: bump the gh-actions-packages group with 5 updates (update: bump the gh-actions-packages group with 5 updates #155)
• update: bump the gh-actions-packages group with 1 update (update: bump the gh-actions-packages group with 1 update #159)
• update: bump the pip-packages group with 1 update (update: bump the pip-packages group with 1 update #158)
• ci: fix nightly permissions
• update: semgr8s v0.1.8

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 1745581.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/.reusable-sast.yml

Package	Version	License	Issue Type
bridgecrewio/checkov-action	068bd0c37d4fc3fb29500a1c039da808ec60e560	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/dependency-review-action	5bbc3ba658137598168acb2ab73b21c432dd411b	🟢 6.1	Details Check Score Reason Code-Review 🟢 5 found 5 unreviewed changesets out of 10 -- score normalized to 5 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	1b1aada464948af03b950897e5eb522f92603cc2	Unknown	Unknown
actions/actions/dependency-review-action	0fa40c3c10055986a88de3baa0d6ec17c5a894b3	🟢 6.1	Details Check Score Reason Code-Review 🟢 5 found 5 unreviewed changesets out of 10 -- score normalized to 5 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	05963f47d870e2cb19a537396c1f668a348c7d8f	Unknown	Unknown
actions/actions/setup-python	82c7e631bb3cdc910f68e0081d67478d79c6982d	🟢 5.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 42 existing vulnerabilities detected
actions/actions/setup-python	0a5c61591373683505ea898e09a3ea4f39ef2b9c	🟢 5.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 42 existing vulnerabilities detected
actions/actions/setup-python	82c7e631bb3cdc910f68e0081d67478d79c6982d	🟢 5.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 42 existing vulnerabilities detected
actions/bridgecrewio/checkov-action	068bd0c37d4fc3fb29500a1c039da808ec60e560	Unknown	Unknown
actions/github/codeql-action/analyze	1b1aada464948af03b950897e5eb522f92603cc2	Unknown	Unknown
actions/github/codeql-action/init	1b1aada464948af03b950897e5eb522f92603cc2	Unknown	Unknown
actions/github/codeql-action/upload-sarif	1b1aada464948af03b950897e5eb522f92603cc2	Unknown	Unknown
actions/actions/setup-python	0a5c61591373683505ea898e09a3ea4f39ef2b9c	🟢 5.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 42 existing vulnerabilities detected
actions/bridgecrewio/checkov-action	06112e15bd63a2efc6b1655c67372c1737658fe7	Unknown	Unknown
actions/github/codeql-action/analyze	05963f47d870e2cb19a537396c1f668a348c7d8f	Unknown	Unknown
actions/github/codeql-action/init	05963f47d870e2cb19a537396c1f668a348c7d8f	Unknown	Unknown
actions/github/codeql-action/upload-sarif	05963f47d870e2cb19a537396c1f668a348c7d8f	Unknown	Unknown
actions/anchore/sbom-action	ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c	🟢 4.9	Details Check Score Reason Code-Review 🟢 9 found 1 unreviewed changesets out of 13 -- score normalized to 9 Maintained 🟢 10 18 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
actions/anchore/sbom-action	9fece9e20048ca9590af301449208b2b8861333b	🟢 4.9	Details Check Score Reason Code-Review 🟢 9 found 1 unreviewed changesets out of 13 -- score normalized to 9 Maintained 🟢 10 18 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected
pip/cheroot	10.0.0	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 0 found 9 unreviewed changesets out of 9 -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 License 🟢 10 license file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/jaraco-functools	4.0.0	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 0 found 27 unreviewed changesets out of 29 -- score normalized to 0 Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/mkdocs-material	9.5.17	🟢 5.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 3 found 21 unreviewed changesets out of 30 -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/more-itertools	10.2.0	🟢 5.3	Details Check Score Reason Code-Review 🟢 3 found 9 unreviewed changesets out of 14 -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing 🟢 10 project is fuzzed Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/pytest-cov	5.0.0	🟢 4.6	Details Check Score Reason Code-Review ⚠️ 2 found 20 unreviewed changesets out of 26 -- score normalized to 2 Maintained 🟢 10 20 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/semgrep	1.67.0	Unknown	Unknown
pip/mkdocs-material	9.5.14	🟢 5.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 3 found 21 unreviewed changesets out of 30 -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/pytest-cov	4.1.0	🟢 4.6	Details Check Score Reason Code-Review ⚠️ 2 found 20 unreviewed changesets out of 26 -- score normalized to 2 Maintained 🟢 10 20 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/semgrep	1.66.0	Unknown	Unknown
pip/cheroot	10.0.0	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 0 found 9 unreviewed changesets out of 9 -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 License 🟢 10 license file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/semgrep	1.67.0	Unknown	Unknown
pip/semgrep	1.66.0	Unknown	Unknown

Scanned Manifest Files

.github/workflows/.reusable-compliance.yml

• actions/dependency-review-action@5bbc3ba
• github/codeql-action@1b1aada
• actions/dependency-review-action@0fa40c3
• github/codeql-action@05963f4

.github/workflows/.reusable-docs.yml

• actions/setup-python@82c7e63
• actions/setup-python@0a5c615

.github/workflows/.reusable-sast.yml

• actions/setup-python@82c7e63
• bridgecrewio/checkov-action@068bd0c
• github/codeql-action@1b1aada
• github/codeql-action@1b1aada
• github/codeql-action@1b1aada
• actions/setup-python@0a5c615
• bridgecrewio/checkov-action@06112e1
• github/codeql-action@05963f4
• github/codeql-action@05963f4
• github/codeql-action@05963f4

.github/workflows/.reusable-sca.yml

• anchore/sbom-action@ab5d7b5
• anchore/sbom-action@9fece9e

poetry.lock

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

pyproject.toml

• [email protected]
• [email protected]
• [email protected]

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
semgr8s
__main__.py	16	16	0%	5–29
app.py	78	3	96%	116, 175–176
k8s_api.py	22	2	91%	43–44
updater.py	19	2	89%	34–35
TOTAL	187	23	88%

Tests	Skipped	Failures	Errors	Time
18	0 💤	0 ❌	0 🔥	1.986s ⏱️