ci: add Semgrep SAST scanning on pull requests#196
Conversation
Made-with: Cursor
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR only modifies CI/security tooling configuration, not kernel API endpoints or Temporal workflows. To monitor this PR anyway, reply with |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9c774a2. Configure here.
| vendor/ | ||
| dist/ | ||
| *_test.go | ||
| go.sum |
There was a problem hiding this comment.
Generated Go files not excluded from scanning
Medium Severity
The .semgrepignore file doesn't actually exclude any of the repository's generated Go files, despite the PR description stating it covers generated code. Files like cmd/api/wire_gen.go (Wire), lib/guest/guest.pb.go and lib/guest/guest_grpc.pb.go (protobuf), lib/oapi/oapi.go, and lib/vmm/vmm.go (oapi-codegen) are all generated and marked with "DO NOT EDIT" but will still be scanned, likely producing false positives that create CI noise or block PRs.
Reviewed by Cursor Bugbot for commit 9c774a2. Configure here.
Sayan-
left a comment
Sayan-
left a comment
There was a problem hiding this comment.
LGTM — standard Semgrep reusable workflow rollout. Go configs and .semgrepignore look correct.
2 participants
Adds Semgrep static analysis on PRs to main via the reusable workflow in kernel/security-workflows. Includes .semgrepignore for generated code, test fixtures, and lock files.
Made with Cursor
Note
Low Risk
Low risk CI-only change that adds static analysis on PRs; the main risk is new PR check noise or false positives affecting developer workflow.
Overview
Adds a new GitHub Actions workflow (
.github/workflows/semgrep.yml) that runs Semgrep on pull requests tomainvia the sharedkernel/security-workflowsreusable workflow, enabling thep/golangandp/trailofbitsrulesets.Introduces
.semgrepignoreto exclude dependencies/build output and other low-signal files (e.g.,node_modules/,vendor/,dist/,*_test.go,go.sum) from scanning.Reviewed by Cursor Bugbot for commit 9c774a2. Bugbot is set up for automated code reviews on this repo. Configure here.