From cd8c8bdcce6f3919e56bcee7320d8fe617f9502c Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Thu, 7 May 2026 16:16:42 +0400 Subject: [PATCH 1/4] ci: add security-scan + semgrep + dependabot Wires this repo to the org-wide reusable workflows in simple-container-com/actions: - security-scan: TruffleHog (secrets) + Syft/CycloneDX SBOM + Trivy + Grype, sticky PR comment, status gate - semgrep: SC custom ruleset + optional consumer rules / registry packs, sticky PR comment, status gate Both follow the GitHub Security Lab 'preventing pwn requests' split: scan jobs run in pull_request context (read-only token, no secrets, fork-PR safe); comment posting lives in a workflow_run-triggered job that never reads PR code. Adds .github/dependabot.yml with weekly bumps for both github-actions and gomod ecosystems, with minor+patch grouped to reduce PR noise. --- .github/dependabot.yml | 40 +++++++++++++++++++++ .github/workflows/security-scan-comment.yml | 15 ++++++++ .github/workflows/security-scan.yml | 14 ++++++++ .github/workflows/semgrep-comment.yml | 15 ++++++++ .github/workflows/semgrep.yml | 14 ++++++++ 5 files changed, 98 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/security-scan-comment.yml create mode 100644 .github/workflows/security-scan.yml create mode 100644 .github/workflows/semgrep-comment.yml create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3551bab --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,40 @@ +version: 2 + +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - github-actions + commit-message: + prefix: deps + include: scope + groups: + actions-minor-and-patch: + applies-to: version-updates + update-types: + - minor + - patch + + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 10 + labels: + - dependencies + - go + commit-message: + prefix: deps + include: scope + groups: + gomod-minor-and-patch: + applies-to: version-updates + update-types: + - minor + - patch diff --git a/.github/workflows/security-scan-comment.yml b/.github/workflows/security-scan-comment.yml new file mode 100644 index 0000000..ddcf092 --- /dev/null +++ b/.github/workflows/security-scan-comment.yml @@ -0,0 +1,15 @@ +name: Security Scan Comment +on: + workflow_run: + workflows: ["Security Scan"] + types: [completed] +permissions: + pull-requests: write + actions: read +jobs: + comment: + if: github.event.workflow_run.event == 'pull_request' + uses: simple-container-com/actions/.github/workflows/security-scan-comment.yml@main + permissions: + pull-requests: write + actions: read diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..1adaaf2 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,14 @@ +name: Security Scan +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: +permissions: + contents: read +jobs: + security: + uses: simple-container-com/actions/.github/workflows/security-scan.yml@main + permissions: + contents: read diff --git a/.github/workflows/semgrep-comment.yml b/.github/workflows/semgrep-comment.yml new file mode 100644 index 0000000..9b524ad --- /dev/null +++ b/.github/workflows/semgrep-comment.yml @@ -0,0 +1,15 @@ +name: Semgrep Comment +on: + workflow_run: + workflows: ["Semgrep"] + types: [completed] +permissions: + pull-requests: write + actions: read +jobs: + comment: + if: github.event.workflow_run.event == 'pull_request' + uses: simple-container-com/actions/.github/workflows/semgrep-comment.yml@main + permissions: + pull-requests: write + actions: read diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..468f6be --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,14 @@ +name: Semgrep +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: +permissions: + contents: read +jobs: + semgrep: + uses: simple-container-com/actions/.github/workflows/semgrep.yml@main + permissions: + contents: read From db9eebbe1e3821d8db46fe4235812b46d716ed44 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Thu, 7 May 2026 16:23:11 +0400 Subject: [PATCH 2/4] ci: retrigger after org-access enabled From 55305f02fb07b09f968c21a935ae522bc71a974a Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Thu, 7 May 2026 16:54:15 +0400 Subject: [PATCH 3/4] ci: retrigger after actions repo set public Signed-off-by: Dmitrii Creed From 53d0daa224c4bd5e4be8e7c3e01d91b6d7d5bcbf Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Thu, 7 May 2026 17:10:10 +0400 Subject: [PATCH 4/4] fix(security): pin third-party actions + suppress org-owned welder bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Six findings from the first Semgrep scan on this repo: ERROR (gating, fixed by suppression with justification): - .github/workflows/push.yaml:48,49 — bash <(curl ...) bootstrap of welder.simple-container.com/welder.sh. This is the org's own service, not third-party. Added 'nosemgrep: shell-curl-pipe-to-shell' inline with a justification comment that the long-term fix is a checksum-pinned welder release (tracked as a follow-up). WARNING (best-practice, fixed by pinning): - push.yaml:25 reecetech/version-increment@2023.10.2 -> @a29aa752dc3b8118a2dc2ed93faf0e95a73a9c7e (2024.10.1) - push.yaml:41 fregante/setup-git-user@v2 -> @024bc0b8e177d7e77203b48dab6fb45666854b35 (v2.0.2) INFO (defence-in-depth, fixed by pinning): - push.yaml:23,40 actions/checkout@v4 -> @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) Signed-off-by: Dmitrii Creed --- .github/workflows/push.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index a0c444a..2a36ea8 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -20,9 +20,9 @@ jobs: outputs: version: ${{ steps.version.outputs.version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get next version - uses: reecetech/version-increment@2023.10.2 + uses: reecetech/version-increment@a29aa752dc3b8118a2dc2ed93faf0e95a73a9c7e # 2024.10.1 id: version with: scheme: "calver" @@ -37,13 +37,15 @@ jobs: cicd-bot-telegram-token: ${{ steps.prepare-secrets.outputs.cicd-bot-telegram-token }} cicd-bot-telegram-chat-id: ${{ steps.prepare-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - - uses: actions/checkout@v4 - - uses: fregante/setup-git-user@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: build and tag library release shell: bash env: VERSION: ${{ needs.prepare.outputs.version }} run: |- git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/go-aws-lambda-sdk.git + # nosemgrep: shell-curl-pipe-to-shell # welder.simple-container.com is the org's own bootstrap; replace with checksum-pinned welder release as a follow-up bash <(curl -Ls "https://welder.simple-container.com/welder.sh") make --timestamps + # nosemgrep: shell-curl-pipe-to-shell # same as above; org-owned bootstrap bash <(curl -Ls "https://welder.simple-container.com/welder.sh") deploy -e prod --timestamps