test semgrep ci (#9534)

* changes * changes * lint
2025-04-12 12:40:29 +08:00 · 2024-10-04 14:02:46 -07:00 · 2024-10-04 14:02:46 -07:00 · c51d2c555b
commit c51d2c555b
parent 4721c5e088
2 changed files with 32 additions and 14 deletions
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,32 +1,32 @@
-name: Semgrep
+name: semgrep ci

 on:
-    workflow_run:
-        workflows: ["trigger-semgrep"]
-        types:
-            - completed
-    
+  workflow_run:
+    workflows: ["trigger-semgrep"]
+    types:
+      - completed
+
 env:
  CI: true
  PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"

 concurrency:
-    group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
-    cancel-in-progress: true
+  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
+  cancel-in-progress: true

 permissions: {}

 jobs:
  semgrep:
    permissions:
-        contents: read  
+      contents: read
    name: semgrep/ci
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep
    outputs:
-        pr_number: ${{ steps.json.outputs.pr_number }}
-        sha: ${{ steps.json.outputs.sha }}
+      pr_number: ${{ steps.json.outputs.pr_number }}
+      sha: ${{ steps.json.outputs.sha }}
    if: (github.actor != 'dependabot[bot]')
    steps:
      - name: Download artifact
@ -38,12 +38,12 @@ jobs:
      - uses: gradio-app/github/actions/json-to-output@main
        id: json
        with:
-          path: output.json  
+          path: output.json
      - uses: actions/checkout@v4
        with:
          repository: ${{ steps.json.outputs.source_repo }}
          ref: ${{ steps.json.outputs.sha }}
-      - run: semgrep ci
+      - run: semgrep ci --config .github/workflows/semgrep_rules.yaml
        env:
          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN2 }}
  update-status:
@ -61,4 +61,4 @@ jobs:
          name: "Semgrep Results"
          pr: ${{ needs.semgrep.outputs.pr_number }}
          result: ${{ needs.semgrep.result == 'success' && 'success' || 'failure' }}
-          type: all
+          type: all
--- a/.github/workflows/semgrep_rules.yaml
+++ b/.github/workflows/semgrep_rules.yaml
@ -0,0 +1,18 @@
+rules:
+  - id: detect-os-system-calls
+    pattern: os.system(...)
+    message: "Unsafe use of os.system(). Consider using subprocess.run() instead."
+    languages: [python]
+    severity: WARNING
+
+  - id: detect-sql-injection
+    pattern: 'execute("SELECT * FROM " + $TABLE)'
+    message: "Potential SQL injection detected. Use parameterized queries."
+    languages: [python]
+    severity: ERROR
+
+  - id: detect-eval-usage
+    pattern: eval(...)
+    message: "Use of eval() detected. This can be dangerous if used with untrusted input."
+    languages: [python]
+    severity: ERROR