diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 6cfb4520..c5deb46c 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -46,7 +46,10 @@ jobs: - name: Run Bandit security scan run: | - bandit -r src/ -f sarif -o bandit-results.sarif + # The Python codebase lives under archive/v1/src (it moved there when + # the runtime was rewritten in Rust). Scanning `src/` matched nothing, + # so this SAST step was a silent no-op. + bandit -r archive/v1/src/ -f sarif -o bandit-results.sarif continue-on-error: true - name: Upload Bandit results to GitHub Security @@ -57,22 +60,20 @@ jobs: sarif_file: bandit-results.sarif category: bandit - - name: Run Semgrep security scan - continue-on-error: true - uses: returntocorp/semgrep-action@v1 - with: - config: >- - p/security-audit - p/secrets - p/python - p/docker - p/kubernetes - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - - - name: Generate Semgrep SARIF + # Removed the deprecated `returntocorp/semgrep-action@v1` step: it was + # redundant (the pip `semgrep --sarif` below is what feeds GitHub Security; + # the action only pushed to the Semgrep cloud app via SEMGREP_APP_TOKEN) and + # it pulled `returntocorp/semgrep-agent:v1` from Docker Hub on every run, + # which intermittently timed out and turned this check red. The pip semgrep + # (installed above) needs no Docker pull. The action's `p/docker` + + # `p/kubernetes` rulesets are folded into the command below so coverage is + # preserved. + - name: Run Semgrep + generate SARIF run: | - semgrep --config=p/security-audit --config=p/secrets --config=p/python --sarif --output=semgrep.sarif src/ + semgrep \ + --config=p/security-audit --config=p/secrets --config=p/python \ + --config=p/docker --config=p/kubernetes \ + --sarif --output=semgrep.sarif archive/v1/src/ continue-on-error: true - name: Upload Semgrep results to GitHub Security