























@@ -0,0 +1,76 @@
1+name: OpenGrep — PR Diff
2+3+# Runs the high-precision OpenGrep rule super-config against only first-party
4+# source paths changed by a pull request. Keeping PR scans diff-scoped makes
5+# findings attributable to the proposed change instead of surfacing unrelated
6+# repository-wide backlog.
7+#
8+# For a repository-wide scan, use the manual OpenGrep — Full workflow.
9+10+on:
11+pull_request:
12+13+concurrency:
14+group: opengrep-pr-diff-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
15+cancel-in-progress: true
16+17+permissions:
18+contents: read
19+security-events: write
20+21+jobs:
22+scan:
23+name: Scan changed paths (precise)
24+runs-on: blacksmith-16vcpu-ubuntu-2404
25+timeout-minutes: 30
26+steps:
27+ - name: Checkout
28+uses: actions/checkout@v4
29+with:
30+persist-credentials: false
31+# `scripts/run-opengrep.sh --changed` diffs base...HEAD.
32+fetch-depth: 0
33+34+ - name: Install opengrep
35+env:
36+# Pin both the install script (by commit SHA) and the binary version.
37+# The script SHA must match the v1.19.0 release tag in opengrep/opengrep
38+# so a compromised or force-pushed `main` cannot RCE in our CI runner.
39+# Bump both together when upgrading.
40+OPENGREP_VERSION: v1.19.0
41+OPENGREP_INSTALL_SHA: 9a4c0a68220618441608cd2bad4ff2eddccf8113
42+run: |
43+ curl -fsSL "https://raw.githubusercontent.com/opengrep/opengrep/${OPENGREP_INSTALL_SHA}/install.sh" \
44+ | bash -s -- -v "$OPENGREP_VERSION"
45+ echo "$HOME/.opengrep/cli/latest" >> "$GITHUB_PATH"
46+47+ - name: Verify opengrep
48+run: opengrep --version
49+50+ - name: Run opengrep on PR diff
51+env:
52+OPENCLAW_OPENGREP_BASE_REF: ${{ github.event.pull_request.base.sha }}...HEAD
53+# Findings from precise rules block this workflow. Pull requests scan
54+# changed first-party source paths only so findings stay attributable to
55+# the PR diff. Test/fixture/QA path exclusions live in `.semgrepignore`
56+# at the repo root and are picked up automatically.
57+run: |
58+ mkdir -p .opengrep-out
59+ scripts/run-opengrep.sh --changed --sarif --error
60+61+ - name: Upload SARIF to GitHub Code Scanning
62+uses: github/codeql-action/upload-sarif@v3
63+# Only upload if the scan actually produced a SARIF file.
64+if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
65+with:
66+sarif_file: .opengrep-out/precise.sarif
67+category: opengrep-pr-diff
68+69+ - name: Upload SARIF as workflow artifact
70+if: always()
71+uses: actions/upload-artifact@v4
72+with:
73+name: opengrep-pr-diff-sarif
74+path: .opengrep-out/precise.sarif
75+if-no-files-found: warn
76+retention-days: 30
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。