From abe699527833446fef2433559fbae466db46508c Mon Sep 17 00:00:00 2001
From: security-bot <null>
Date: Thu, 13 Oct 2022 10:03:22 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=84=20Created=20local=20'.github/workf?=
 =?UTF-8?q?lows/semgrep.yml'=20from=20remote=20'semgrep/semgrep.yml'?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/semgrep.yml | 57 +++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..5459773
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,57 @@
+name: Semgrep
+
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request:
+    branches:    
+      - master
+      - main
+
+  # Schedule this job to run at a certain time, using cron syntax
+  # Note that * is a special character in YAML so you have to quote this string
+  schedule:
+    - cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday
+
+jobs:
+  semgrep:
+    name: Static code Analysis
+    runs-on: [ self-hosted ]
+    
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@v3
+      - run: /usr/bin/git clone https://${{ secrets.SEMGREP_PAT }}@github.cmd.navi-tech.in/Information-Security/semgrep-rules.git
+      
+      - run: semgrep ci --json > semgrep.json
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          # Select rules for your scan with one of these two options.
+          # Option 1: set hard-coded rulesets
+          SEMGREP_RULES: >- # more at semgrep.dev/r
+            ./semgrep-rules
+
+      - name: Vulnerability Analysis Result
+        if: failure()
+        run: /usr/bin/curl -X POST http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json" -d @semgrep.json
+      
+      - name: Send the Result
+        run: /usr/bin/curl -X GET http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json"
+  
+  run-if-failed:
+    runs-on: [ self-hosted ]
+    needs: [semgrep]
+    if: always() && (needs.semgrep.result == 'failure')
+    steps:
+      - name: Create comment
+        if: ${{ ( github.event.number != '' ) }}
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+             **Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information **
+             
+      - name: Assign Reviewers
+        if: ${{ ( github.event.number != '' ) }}
+        uses: Information-Security/security-oncall-action@v1.1