Mbed TLS 4.x Compatibility Update #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Semgrep (C/C++ SAST) | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: [ "main", "master" ] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| semgrep: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout (inkl. Submodules) | |
| uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| - name: Install Semgrep | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| pip install semgrep | |
| - name: Fetch Semgrep Community rules | |
| run: | | |
| git clone --depth 1 https://github.com/semgrep/semgrep-rules .semgrep-rules | |
| - name: Run Semgrep (SARIF, robust excludes + configs) | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| # 1) Excludes aus Datei robust einlesen (Kommentare/Leerzeilen ignorieren) | |
| EXCLUDE_FILE=".github/security-scan-excludes.txt" | |
| EXCLUDES="" | |
| if [[ -f "$EXCLUDE_FILE" ]]; then | |
| while IFS= read -r line; do | |
| [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue | |
| EXCLUDES+=" --exclude $line" | |
| done < "$EXCLUDE_FILE" | |
| fi | |
| echo "Semgrep excludes:$EXCLUDES" | |
| # 2) Configs nur hinzufügen, wenn sie existieren (Repo-Struktur kann sich ändern) | |
| CONFIGS=() | |
| [[ -d ".semgrep-rules/c" ]] && CONFIGS+=("--config" ".semgrep-rules/c") | |
| [[ -d ".semgrep-rules/cpp" ]] && CONFIGS+=("--config" ".semgrep-rules/cpp") | |
| # Optional: generische Security-Audit Rules (sprache-unabhängig/teilweise generisch) | |
| [[ -d ".semgrep-rules/security/audit" ]] && CONFIGS+=("--config" ".semgrep-rules/security/audit") | |
| if [[ ${#CONFIGS[@]} -eq 0 ]]; then | |
| echo "No suitable Semgrep community rule directories found; skipping." | |
| echo '{"version":"2.1.0","runs":[]}' > semgrep.sarif | |
| exit 0 | |
| fi | |
| # 3) Scan | |
| semgrep scan \ | |
| "${CONFIGS[@]}" \ | |
| $EXCLUDES \ | |
| --sarif -o semgrep.sarif \ | |
| . | |
| - name: Upload SARIF | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: semgrep.sarif | |
| category: semgrep |