From c51d2c555b355bc270586eeab6da970b1d3dc0d1 Mon Sep 17 00:00:00 2001
From: Abubakar Abid <abubakar@huggingface.co>
Date: Fri, 4 Oct 2024 14:02:46 -0700
Subject: [PATCH] test semgrep ci (#9534)

* changes

* changes

* lint
---
 .github/workflows/semgrep.yml        | 28 ++++++++++++++--------------
 .github/workflows/semgrep_rules.yaml | 18 ++++++++++++++++++
 2 files changed, 32 insertions(+), 14 deletions(-)
 create mode 100644 .github/workflows/semgrep_rules.yaml

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 734bfde8ec..b3c4aa6401 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -1,32 +1,32 @@
-name: Semgrep
+name: semgrep ci
 
 on:
-    workflow_run:
-        workflows: ["trigger-semgrep"]
-        types:
-            - completed
-    
+  workflow_run:
+    workflows: ["trigger-semgrep"]
+    types:
+      - completed
+
 env:
   CI: true
   PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
 
 concurrency:
-    group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
-    cancel-in-progress: true
+  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
+  cancel-in-progress: true
 
 permissions: {}
 
 jobs:
   semgrep:
     permissions:
-        contents: read  
+      contents: read
     name: semgrep/ci
     runs-on: ubuntu-latest
     container:
       image: semgrep/semgrep
     outputs:
-        pr_number: ${{ steps.json.outputs.pr_number }}
-        sha: ${{ steps.json.outputs.sha }}
+      pr_number: ${{ steps.json.outputs.pr_number }}
+      sha: ${{ steps.json.outputs.sha }}
     if: (github.actor != 'dependabot[bot]')
     steps:
       - name: Download artifact
@@ -38,12 +38,12 @@ jobs:
       - uses: gradio-app/github/actions/json-to-output@main
         id: json
         with:
-          path: output.json  
+          path: output.json
       - uses: actions/checkout@v4
         with:
           repository: ${{ steps.json.outputs.source_repo }}
           ref: ${{ steps.json.outputs.sha }}
-      - run: semgrep ci
+      - run: semgrep ci --config .github/workflows/semgrep_rules.yaml
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN2 }}
   update-status:
@@ -61,4 +61,4 @@ jobs:
           name: "Semgrep Results"
           pr: ${{ needs.semgrep.outputs.pr_number }}
           result: ${{ needs.semgrep.result == 'success' && 'success' || 'failure' }}
-          type: all
\ No newline at end of file
+          type: all
diff --git a/.github/workflows/semgrep_rules.yaml b/.github/workflows/semgrep_rules.yaml
new file mode 100644
index 0000000000..4eab4c6351
--- /dev/null
+++ b/.github/workflows/semgrep_rules.yaml
@@ -0,0 +1,18 @@
+rules:
+  - id: detect-os-system-calls
+    pattern: os.system(...)
+    message: "Unsafe use of os.system(). Consider using subprocess.run() instead."
+    languages: [python]
+    severity: WARNING
+
+  - id: detect-sql-injection
+    pattern: 'execute("SELECT * FROM " + $TABLE)'
+    message: "Potential SQL injection detected. Use parameterized queries."
+    languages: [python]
+    severity: ERROR
+
+  - id: detect-eval-usage
+    pattern: eval(...)
+    message: "Use of eval() detected. This can be dangerous if used with untrusted input."
+    languages: [python]
+    severity: ERROR