Skip to content

Add OpenGrep SAST workflow and security waivers file #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devin-ai-integration wants to merge 1 commit into from
Closed

Add OpenGrep SAST workflow and security waivers file #3

devin-ai-integration wants to merge 1 commit into from

Conversation

@devin-ai-integration
Copy link

@devin-ai-integration devin-ai-integration bot commented Aug 8, 2025

Add OpenGrep SAST workflow and security waivers file across 62 repositories

Summary

This bulk operation adds comprehensive security scanning capabilities to all active repositories in the Zampfi organization (62 total). Each repository now contains:

  1. .github/workflows/opengrep-sast.yaml - A 273-line GitHub Actions workflow that runs security scans on pull requests and main branch pushes, using OpenGrep with multiple rule sets (typescript, python, java, go, etc.)
  2. .security-waivers.json - An empty waivers file that allows teams to manage security exceptions when legitimate code triggers false positives

The security workflow is designed to block PRs with critical/high severity issues unless they are explicitly waived, providing a safety net against security vulnerabilities while allowing teams flexibility to handle edge cases.

Review & Testing Checklist for Human

Risk Level: 🔴 HIGH - Organization-wide security infrastructure change affecting 62 repositories

  • Validate security workflow configuration - Test that the OpenGrep rules are appropriately strict but not overly restrictive for your organization's codebase patterns
  • Test waivers mechanism - Create a test security issue and verify the .security-waivers.json file correctly excludes it from blocking PRs
  • Spot-check representative repositories - Pick 3-5 repositories with different languages/frameworks and verify the workflow runs without breaking existing CI/CD processes
  • Review unexpected CI failures - Most PRs show expected "security-scan" failures (this is correct behavior), but investigate any other CI failures that might indicate integration issues
  • Verify no hardcoded values - Double-check that the workflow doesn't contain any development/testing artifacts or organization-specific hardcoded values that shouldn't be there

Recommended Test Plan:

  1. Pick one repository and create a test PR with a known security issue to verify blocking behavior
  2. Add a waiver for that issue and confirm the PR becomes unblocked
  3. Test the workflow on repositories with different primary languages (JS/TS, Python, Go, Java)

Diagram

%%{ init : { "theme" : "default" }}%%
graph TD
    subgraph "Organization Wide Changes"
        A["62 Zampfi Repositories"]
        B[".github/workflows/opengrep-sast.yaml"]:::major-edit
        C[".security-waivers.json"]:::major-edit
    end
    
    subgraph "Security Workflow Process"
        D["PR/Push Trigger"]:::context
        E["OpenGrep Security Scan"]:::context
        F["Check Waivers File"]:::context
        G["Block if Critical/High Issues"]:::context
    end
    
    subgraph "Source Files"
        H["/home/ubuntu/repos/herm-frontend/.github/workflows/opengrep-sast.yaml"]:::context
        I["Fixed trailing whitespace issues"]:::minor-edit
    end
    
    A --> B
    A --> C
    B --> D
    D --> E
    E --> F
    F --> G
    H --> B
    I --> H

    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit  
        L3[Context/No Edit]:::context
    end

    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF
Loading

Notes

  • Expected Behavior: Most PRs show "security-scan" failures - this is correct and indicates the workflow is finding legitimate security issues that need to be addressed or waived
  • Mid-process Fix: Trailing whitespace was removed from the source workflow file partway through the process, so some repositories may have slightly different versions
  • Session Details: Requested by shashvat@zamp.ai - Session: https://app.devin.ai/sessions/6b8a3486391f45e0b66ec32758e5f7da
  • Completion Status: 50+ PRs created successfully, with remaining repositories still in progress due to intermittent API issues

@devin-ai-integration
Add OpenGrep SAST workflow and security waivers file
d85e8b1 
- Add OpenGrep SAST security scanning workflow
- Add empty security waivers file for managing security exceptions
@devin-ai-integration
Copy link
Author

devin-ai-integration bot commented Aug 8, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-actions
Copy link

github-actions bot commented Aug 8, 2025

Coverage on new code: 100%

@github-actions
Copy link

github-actions bot commented Aug 8, 2025

🔴 Security Scan: Critical/High Issues Found

1 critical/high severity security issue(s) must be resolved before merging.

🚨 Blocking Issues

📥 Full report available in workflow artifacts: security-report
🛡️ To waive issues, follow the instructions in the security report

@devin-ai-integration
Copy link
Author

devin-ai-integration bot commented Aug 16, 2025

Closing due to inactivity for more than 7 days. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant