sourcegraph
diff --git a/‎.github/workflows/go-ci.yml‎
Lines changed: 15 additions & 0 deletions b/‎.github/workflows/go-ci.yml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.github/workflows/semgrep.yml‎
Lines changed: 37 additions & 0 deletions b/‎.github/workflows/semgrep.yml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎DEVELOPMENT.md‎
Lines changed: 1 addition & 1 deletion b/‎DEVELOPMENT.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/src/cmd.go‎
Lines changed: 0 additions & 16 deletions b/‎cmd/src/cmd.go‎
Lines changed: 0 additions & 16 deletions
diff --git a/‎cmd/src/doc.go‎
Lines changed: 0 additions & 1 deletion b/‎cmd/src/doc.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎cmd/src/extensions.go‎
Lines changed: 0 additions & 87 deletions b/‎cmd/src/extensions.go‎
Lines changed: 0 additions & 87 deletions
diff --git a/‎cmd/src/extensions_copy.go‎
Lines changed: 0 additions & 174 deletions b/‎cmd/src/extensions_copy.go‎
Lines changed: 0 additions & 174 deletions
@@ -30,3 +30,18 @@ jobs:
       - run: |
           go test -race -v ./...
           go test -v ./...
+
+  # This job provides a stable name for branch protection rules
+  # It will only pass if all Go CI matrix tests above pass
+  go-test-complete:
+    runs-on: ubuntu-latest
+    needs: go-test
+    if: always()
+    steps:
+      - name: Check Go CI results
+        run: |
+          if [[ "${{ needs.go-test.result }}" != "success" ]]; then
+            echo "One or more Go CI tests failed"
+            exit 1
+          fi
+          echo "All Go CI tests passed"
@@ -0,0 +1,37 @@
+name: Semgrep - SAST Scan
+
+on:
+  pull_request_target:
+    types: [ closed, edited, opened, synchronize, ready_for_review ]
+
+jobs:
+  semgrep:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Checkout semgrep-rules repo
+        uses: actions/checkout@v4
+        with:
+          repository: sourcegraph/security-semgrep-rules
+          token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
+          path: semgrep-rules
+
+      - name: Run Semgrep SAST Scan
+        run: |
+          mv semgrep-rules ../
+          semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
@@ -11,6 +11,16 @@ All notable changes to `src-cli` are documented in this file.
 
 ## Unreleased
 
+### Added
+
+- SBOM support: Added `--image` and `--exclude-image` flags to `src sbom fetch` for filtering which docker images SBOMs are fetched for. Both flags support glob patterns (e.g., `frontend`, `*api*`) and comma-separated lists. The `sourcegraph/` image name prefix is optional.
+
+### Changed
+
+- The deprecated `src extensions` commands have been removed.
+
+## 6.4.0
+
 ## 6.3.0
 
 ## 6.2.0
 
@@ -83,7 +83,7 @@ We adhere to the [general Sourcegraph principles for testing](https://docs.sourc
         [...]
         ```
         After updating the checksums, rerun the command to verify that the values are correct.
-    4. Run `sg generate bazel` (this may not result in any changes)
+    4. Run `sg generate bazel` and `sg bazel configure` (this may not result in any changes)
     4. Commit the changes, and open a PR.
  6. Once the version bump PR is merged and the commit is live on dotcom, check that the [curl commands in the README](README.md#installation) also fetch the new latest version.
 
 
@@ -6,9 +6,6 @@ import (
 	"log"
 	"os"
 	"slices"
-	"strings"
-
-	"github.com/sourcegraph/sourcegraph/lib/errors"
 
 	"github.com/sourcegraph/src-cli/internal/cmderrors"
 )
@@ -128,16 +125,3 @@ func (c commander) run(flagSet *flag.FlagSet, cmdName, usageText string, args []
 	log.Printf("%s: unknown subcommand %q", cmdName, name)
 	log.Fatalf("Run '%s help' for usage.", cmdName)
 }
-
-func didYouMeanOtherCommand(actual string, suggested []string) *command {
-	fullSuggestions := make([]string, len(suggested))
-	for i, s := range suggested {
-		fullSuggestions[i] = "src " + s
-	}
-	msg := fmt.Sprintf("src: unknown subcommand %q\n\nDid you mean:\n\n\t%s", actual, strings.Join(fullSuggestions, "\n\t"))
-	return &command{
-		flagSet:   flag.NewFlagSet(actual, flag.ExitOnError),
-		handler:   func(args []string) error { return errors.New(msg) },
-		usageFunc: func() { log.Println(msg) },
-	}
-}
@@ -56,7 +56,6 @@ Examples:
 			"":             &commands,
 			"batch":        &batchCommands,
 			"config":       &configCommands,
-			"extensions":   &extensionsCommands,
 			"extsvc":       &extsvcCommands,
 			"code-intel":   &codeintelCommands,
 			"orgs":         &orgsCommands,