From d9e87e13b4d39d8ed6a5555c0e7e4fb7230129c4 Mon Sep 17 00:00:00 2001 From: rUv Date: Wed, 3 Jun 2026 11:18:49 +0200 Subject: [PATCH] fix(ci): SAST actually scans the code + drop deprecated flaky semgrep action (#930) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two real problems in the Static Application Security Testing job: 1. **It scanned a path that no longer exists.** `bandit -r src/` and `semgrep … src/` pointed at the repo-root `src/`, but the Python code moved to `archive/v1/src/` (64 .py files) when the runtime was rewritten in Rust. So the SAST scan matched nothing — a silent no-op (this is also why `bandit-results.sarif` was "Path does not exist" on recent runs). Fixed both to `archive/v1/src/`. 2. **Deprecated + redundant + flaky semgrep step.** The `returntocorp/semgrep-action@v1` step pulled `returntocorp/semgrep-agent:v1` from Docker Hub every run (intermittently timing out → red check, e.g. on #929) and is EOL. It was redundant: the pip `semgrep --sarif` step is what feeds GitHub Security; the action only pushed to the Semgrep cloud app via SEMGREP_APP_TOKEN. Removed it and folded its `p/docker` + `p/kubernetes` rulesets into the pip semgrep command, so coverage is preserved with no Docker pull. The job stays `continue-on-error: true` (non-gating). YAML validated. --- .github/workflows/security-scan.yml | 33 +++++++++++++++-------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 6cfb4520..c5deb46c 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -46,7 +46,10 @@ jobs: - name: Run Bandit security scan run: | - bandit -r src/ -f sarif -o bandit-results.sarif + # The Python codebase lives under archive/v1/src (it moved there when + # the runtime was rewritten in Rust). Scanning `src/` matched nothing, + # so this SAST step was a silent no-op. + bandit -r archive/v1/src/ -f sarif -o bandit-results.sarif continue-on-error: true - name: Upload Bandit results to GitHub Security @@ -57,22 +60,20 @@ jobs: sarif_file: bandit-results.sarif category: bandit - - name: Run Semgrep security scan - continue-on-error: true - uses: returntocorp/semgrep-action@v1 - with: - config: >- - p/security-audit - p/secrets - p/python - p/docker - p/kubernetes - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - - - name: Generate Semgrep SARIF + # Removed the deprecated `returntocorp/semgrep-action@v1` step: it was + # redundant (the pip `semgrep --sarif` below is what feeds GitHub Security; + # the action only pushed to the Semgrep cloud app via SEMGREP_APP_TOKEN) and + # it pulled `returntocorp/semgrep-agent:v1` from Docker Hub on every run, + # which intermittently timed out and turned this check red. The pip semgrep + # (installed above) needs no Docker pull. The action's `p/docker` + + # `p/kubernetes` rulesets are folded into the command below so coverage is + # preserved. + - name: Run Semgrep + generate SARIF run: | - semgrep --config=p/security-audit --config=p/secrets --config=p/python --sarif --output=semgrep.sarif src/ + semgrep \ + --config=p/security-audit --config=p/secrets --config=p/python \ + --config=p/docker --config=p/kubernetes \ + --sarif --output=semgrep.sarif archive/v1/src/ continue-on-error: true - name: Upload Semgrep results to GitHub Security