From d86e35e05dd38738990a88099ccb1ed015425a14 Mon Sep 17 00:00:00 2001
From: Tomas Tauber <2410580+tomtau@users.noreply.github.com>
Date: Wed, 21 Sep 2022 14:01:47 +0800
Subject: [PATCH] Problem: missing additional static analysis scans (#862)

Solution: added semgrep and gosec
---
 .github/workflows/gosec.yml   | 35 +++++++++++++++++++++++++++++++++++
 .github/workflows/semgrep.yml | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 .github/workflows/gosec.yml
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
new file mode 100644
index 000000000..abb62bbb2
--- /dev/null
+++ b/.github/workflows/gosec.yml
@@ -0,0 +1,35 @@
+name: Run Gosec
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - release/**
+
+jobs:
+  Gosec:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+      - uses: technote-space/get-diff-action@v3
+        with:
+          SUFFIX_FILTER: |
+            .go
+            .mod
+            .sum
+      - name: Run Gosec Security Scanner
+        uses: informalsystems/gosec@master
+        with:
+          # we let the report trigger content trigger a failure using the GitHub Security features.
+          args: '-no-fail -fmt sarif -out results.sarif ./...'
+        if: "env.GIT_DIFF_FILTERED != ''"
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+        if: "env.GIT_DIFF_FILTERED != ''"
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 000000000..fa66dcc54
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,34 @@
+name: Semgrep
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request: {}
+  push:
+    branches:
+      - master
+      - release/**
+    paths:
+      - .github/workflows/semgrep.yml
+  schedule:
+    - cron: '0 0 * * 0'
+jobs:
+  # Update from: https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep ci
+        env:
+           # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable. 
+           SEMGREP_RULES: p/golang # more at semgrep.dev/explore
+           # Uncomment SEMGREP_TIMEOUT to set this job's timeout (in seconds):
+           # Default timeout is 1800 seconds (30 minutes).
+           # Set to 0 to disable the timeout.
+           # SEMGREP_TIMEOUT: 300
\ No newline at end of file