Semgrep

By following this guide, you integrate Semgrep’s static analysis with SecDim’s interactive training, providing developers with immediate, context-sensitive resources to address security issues effectively.

Set Up Semgrep in Your Repository

Ensure that Semgrep is configured in your repository. If it’s not already set up, you can add the Semgrep GitHub Action to your workflow to scan for vulnerabilities.

Generate SARIF Output Using Semgrep

Semgrep can output its findings directly in SARIF format. To do this within a GitHub Actions workflow, add the following step:

- name: Run Semgrep to check for vulnerabilities
  run: semgrep --config auto --sarif --output=semgrep.sarif

This command runs Semgrep with the default set of rules and saves the results in a file named semgrep.sarif.

Upload the SARIF File to GitHub

To visualize the Semgrep scan results within GitHub’s Security tab, upload the SARIF file using the following step:

- name: Upload Semgrep SARIF results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: semgrep.sarif

This step ensures that GitHub processes the SARIF file and displays the findings appropriately.

Integrate SecDim for In-Context Training

SecDim offers a GitHub Action that parses SARIF files and enriches them with links to interactive secure code training environments. Add the following step to your workflow:

- name: Run SecDim Sandbox Action
  uses: secdim/sandbox-action@v1.0.1
  with:
    input_sarif_file: semgrep.sarif
    output_sarif_file: semgrep.enriched.sarif

This action takes the original semgrep.sarif file, processes it to include links to relevant SecDim Sandboxes, and outputs the enriched SARIF file as semgrep.enriched.sarif.

Upload the Enriched SARIF File

To ensure that the enriched SARIF file, now containing in-context training links, is uploaded to GitHub, add the following step:

- name: Upload Enriched SARIF results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: semgrep.enriched.sarif

This final step uploads the enriched SARIF file, allowing developers to access interactive training directly from the identified issues within GitHub’s Security tab.

Complete GitHub Actions Workflow Example

name: In-Context SecDim Training Integration

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: "3.7"

      - name: Install Semgrep
        run: pip install semgrep

      - name: Run Semgrep to check for vulnerabilities
        run: semgrep --config auto --sarif --output=semgrep.sarif

      - name: Upload Semgrep SARIF results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: semgrep.sarif

      - name: Run SecDim Sandbox Action
        uses: secdim/sandbox-action@v1.0.1
        with:
          input_sarif_file: semgrep.sarif
          output_sarif_file: semgrep.enriched.sarif

      - name: Upload Enriched SARIF results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: semgrep.enriched.sarif