Skip to content

BAH-4795 | Add Semgrep SAST CI workflow#127

Merged
ravinderkabli merged 1 commit into
masterfrom
BAH-4795
Jun 16, 2026
Merged

BAH-4795 | Add Semgrep SAST CI workflow#127
ravinderkabli merged 1 commit into
masterfrom
BAH-4795

Conversation

@vishalkarmalkarthoughtworks

@vishalkarmalkarthoughtworks vishalkarmalkarthoughtworks commented Jun 16, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Adds .github/workflows/semgrep.yml. Runs Semgrep Community Edition static analysis on PRs, pushes to the default branch, and weekly. Findings upload to the Security tab (Code Scanning) via SARIF.

Part of the org-wide rollout tracked in BAH-4795. Template validated on bahmni-core#330.

Phase 1 — non-blocking

continue-on-error: true so existing findings do not block PRs. Findings still surface in the Security tab. A follow-up will flip to blocking with --baseline-ref once baselines are triaged.

Cost: $0

Semgrep Community Edition (LGPL-2.1) + public registry rules + free GitHub Code Scanning on public repos. No SEMGREP_APP_TOKEN, no Semgrep Cloud account.

Supply-chain hardening

  • Container image and actions pinned to immutable SHAs/digests
  • persist-credentials: false on checkout (least privilege)
  • SARIF upload guarded by hashFiles() so the workflow stays truly non-blocking if Semgrep crashes before producing the SARIF

Test plan

  • Workflow appears in Actions tab and runs on this PR
  • Scan completes (success or non-zero — both OK in phase 1)
  • SARIF uploads to Security tab (visible to write+ collaborators)
  • Subsequent push to default branch triggers the workflow

@vishalkarmalkarthoughtworks
BAH-4795 | Add. Semgrep SAST CI workflow
f5cf396 
Adds .github/workflows/semgrep.yml. Runs Semgrep Community Edition on
PRs, pushes to default branch, and weekly. Phase 1 is non-blocking
(continue-on-error: true) while initial findings are triaged. Findings
upload to the Security tab via SARIF.

Container image and actions pinned to immutable digests/SHAs. No
SEMGREP_APP_TOKEN required; no Semgrep Cloud account.
@github-advanced-security

github-advanced-security AI commented Jun 16, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

ravinderkabli
ravinderkabli approved these changes Jun 16, 2026
View reviewed changes

@ravinderkabli ravinderkabli left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine

@ravinderkabli ravinderkabli merged commit c721a02 into master Jun 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravinderkabli ravinderkabli ravinderkabli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vishalkarmalkarthoughtworks @github-advanced-security @ravinderkabli