From d1b376d1089721dee86d8138bc5452ff77038094 Mon Sep 17 00:00:00 2001 From: "alexandru.dimofte" Date: Wed, 1 Jul 2026 08:38:47 +0100 Subject: [PATCH 1/5] ci: Enable Semgrep and Zizmor scans --- .github/workflows/semgrep.yml | 38 ++++++++++++++++++++++ .github/workflows/zizmor.yml | 61 +++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 .github/workflows/semgrep.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..649bfadc --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: (C) 2026 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 +--- + +name: Semgrep Scan + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +permissions: + contents: read +jobs: + semgrep: + permissions: + contents: read + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep@sha256:14e073f6417e5d2d0797aa13f26d569270b86fac9d52052d2358c985f1a4e9f0 # v1.124.0 + steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - name: Run Semgrep scan + uses: open-edge-platform/orch-ci/.github/actions/security/semgrep@8e869384de7ed5f98941c59c2e4ac73eb09862fb # 2026.1.3 + with: + scan-scope: all + severity: "HIGH" + output-format: "text" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..01c3587d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,61 @@ +# SPDX-FileCopyrightText: (C) 2026 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 +--- + +name: Zizmor Scan + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + +jobs: + zizmor: + permissions: + contents: read + security-events: write + + runs-on: ubuntu-latest + + env: + ZIZMOR_VERSION: 1.20.0 + + steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false + + - name: Run Zizmor + run: | + uvx zizmor=="$ZIZMOR_VERSION" \ + --format sarif \ + .github \ + > zizmor_scan_report.sarif + + - name: Upload SARIF to GitHub Security + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + sarif_file: zizmor_scan_report.sarif + + - name: Upload Zizmor report artifact + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: zizmor-results + path: zizmor_scan_report.sarif + retention-days: 7 From e188f61fa3586cfa4695f8d12f58dda1d013dffb Mon Sep 17 00:00:00 2001 From: Alexandru Dimofte Date: Wed, 1 Jul 2026 16:54:13 +0300 Subject: [PATCH 2/5] ci: Update semgrep.yml --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 649bfadc..805b37fe 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -35,4 +35,4 @@ jobs: with: scan-scope: all severity: "HIGH" - output-format: "text" + output-format: sarif From 751d79fe6d3d2413b5fbebe80f9b9372d6d03b2f Mon Sep 17 00:00:00 2001 From: Alexandru Dimofte Date: Wed, 1 Jul 2026 17:46:46 +0300 Subject: [PATCH 3/5] ci: Update semgrep.yml --- .github/workflows/semgrep.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 805b37fe..8c821ca7 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -31,8 +31,11 @@ jobs: with: persist-credentials: false - name: Run Semgrep scan - uses: open-edge-platform/orch-ci/.github/actions/security/semgrep@8e869384de7ed5f98941c59c2e4ac73eb09862fb # 2026.1.3 + uses: open-edge-platform/orch-ci/.github/actions/security/semgrep@042e5fabb538da85fcb76a3390a1b55c1d4b3500 # 2026.1.3 with: scan-scope: all severity: "HIGH" output-format: sarif + semgrep-extra-args: > + --exclude-rule missing-user + --exclude-rule missing-user-entrypoint From 14339d547d6b5e4ba9ea87f01fbf1df2359eb8ee Mon Sep 17 00:00:00 2001 From: Alexandru Dimofte Date: Wed, 1 Jul 2026 17:53:31 +0300 Subject: [PATCH 4/5] ci: Update semgrep.yml --- .github/workflows/semgrep.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8c821ca7..8eeddf3e 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -37,5 +37,5 @@ jobs: severity: "HIGH" output-format: sarif semgrep-extra-args: > - --exclude-rule missing-user - --exclude-rule missing-user-entrypoint + --exclude-rule dockerfile.security.missing-user \ + --exclude-rule dockerfile.security.missing-user-entrypoint From 19312fe650885f6213beb5b5c7a3745399e73c98 Mon Sep 17 00:00:00 2001 From: Alexandru Dimofte Date: Wed, 1 Jul 2026 17:57:59 +0300 Subject: [PATCH 5/5] ci: Update semgrep.yml --- .github/workflows/semgrep.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8eeddf3e..4ccef3ce 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -36,6 +36,6 @@ jobs: scan-scope: all severity: "HIGH" output-format: sarif - semgrep-extra-args: > - --exclude-rule dockerfile.security.missing-user \ + semgrep-extra-args: | + --exclude-rule dockerfile.security.missing-user --exclude-rule dockerfile.security.missing-user-entrypoint