ci: add Semgrep SAST scanning on pull requests#211
Conversation
Made-with: Cursor
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR only modifies CI configuration and Semgrep settings, not kernel API endpoints or Temporal workflows. To monitor this PR anyway, reply with |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| .next/ | ||
| *_test.go | ||
| go.sum | ||
| package-lock.json |
There was a problem hiding this comment.
Missing bun.lock in .semgrepignore lock file list
Low Severity
The .semgrepignore includes go.sum and package-lock.json as lock files to ignore, but the repository actually uses bun.lock (present at the repo root alongside package.json with @types/bun as a dev dependency). This lock file is not listed in the ignore file, inconsistent with the stated intent to exclude lock files from scanning.
Reviewed by Cursor Bugbot for commit a2daadf. Configure here.
Sayan-
left a comment
Sayan-
left a comment
There was a problem hiding this comment.
LGTM — standard Semgrep reusable workflow rollout. Good .semgrepignore coverage for generated oapi.go, headful client, and cdp-test.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 42c18c8. Configure here.
| *_test.go | ||
| go.sum | ||
| package-lock.json | ||
| server/lib/oapi/oapi.go |
There was a problem hiding this comment.
Generated file not excluded from Semgrep scanning
Low Severity
The .semgrepignore excludes server/lib/oapi/oapi.go as generated code, but misses server/lib/policy/policy_registry.go, which is also auto-generated (marked // Code generated by generate_registry.py ... DO NOT EDIT.). This large 500+ line file of map literals will be scanned by Semgrep, likely producing false positives on code that developers don't maintain by hand.
Reviewed by Cursor Bugbot for commit 42c18c8. Configure here.
2 participants
Adds Semgrep static analysis on PRs to main via the reusable workflow in kernel/security-workflows. Includes .semgrepignore for generated code, test fixtures, and lock files.
Made with Cursor
Note
Low Risk
Low risk CI-only change that adds static analysis on PRs and ignores generated/third-party files; main impact is potential new PR check failures/noise.
Overview
Adds a Semgrep SAST GitHub Actions workflow that runs on pull requests to
mainvia the reusablekernel/security-workflowsworkflow, scanning with thep/golangandp/javascriptrulesets.Introduces a
.semgrepignoreto exclude dependencies, build artifacts, lockfiles, tests, and specific generated/fixture paths from scanning.Reviewed by Cursor Bugbot for commit 42c18c8. Bugbot is set up for automated code reviews on this repo. Configure here.