Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# SPDX-FileCopyrightText: (C) 2026 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
---

name: Semgrep Scan

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a public repository, will not have access for calling Intel internal: intel-innersource/frameworks.actions.semgrep-static-code-scan/.github/workflows/semgrep.yml@main


on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:

permissions:
contents: read
jobs:
semgrep:
permissions:
contents: read
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep@sha256:14e073f6417e5d2d0797aa13f26d569270b86fac9d52052d2358c985f1a4e9f0 # v1.124.0
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Run Semgrep scan
uses: open-edge-platform/orch-ci/.github/actions/security/semgrep@042e5fabb538da85fcb76a3390a1b55c1d4b3500 # 2026.1.3
with:
scan-scope: all
severity: "HIGH"
output-format: sarif
semgrep-extra-args: |
--exclude-rule dockerfile.security.missing-user
--exclude-rule dockerfile.security.missing-user-entrypoint
61 changes: 61 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# SPDX-FileCopyrightText: (C) 2026 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
---

name: Zizmor Scan

on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:

permissions:
contents: read

jobs:
zizmor:
permissions:
contents: read
security-events: write

runs-on: ubuntu-latest

env:
ZIZMOR_VERSION: 1.20.0

steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: false

- name: Run Zizmor
run: |
uvx zizmor=="$ZIZMOR_VERSION" \
--format sarif \
.github \
> zizmor_scan_report.sarif

- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: zizmor_scan_report.sarif

- name: Upload Zizmor report artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: zizmor-results
path: zizmor_scan_report.sarif
retention-days: 7
Loading