Skip to content

ci: add semgrep rules check in security-scanner plugins #25924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

ci: add semgrep rules check in security-scanner plugins #25924

wants to merge 3 commits into from

Conversation

dduzgun-security
Copy link
Collaborator

@dduzgun-security dduzgun-security commented May 22, 2025
edited
Loading

Description

Adding plugins for semgrep rules and adding codeql go scans on PR too (it's done through the scheduled/daily scan only currently) in the security scanner configuration.

Testing & Reproduction steps

Links

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.

@dduzgun-security dduzgun-security requested review from a team as code owners May 22, 2025 17:50
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

jrasell
jrasell previously approved these changes May 27, 2025
View reviewed changes
Copy link
Member

@jrasell jrasell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @dduzgun-security!

Should we backport this to all our release branches as well?

@dduzgun-security
Copy link
Collaborator Author

@jrasell thanks for the review. I pushed a small fix for the path (so we don't scan the security-scanner itself) and also to include the plugins. This would indeed need some labels to be backported since we scan for active release/x.y.z branches too 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrasell jrasell jrasell left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dduzgun-security @jrasell