Skip to content

Add OpenGrep SAST workflow and security waivers file #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devin-ai-integration wants to merge 1 commit into from
Closed

Add OpenGrep SAST workflow and security waivers file #3

devin-ai-integration wants to merge 1 commit into from

Conversation

@devin-ai-integration
Copy link

@devin-ai-integration devin-ai-integration bot commented Aug 8, 2025

Add OpenGrep SAST workflow and security waivers file across 62 repositories

Summary

This bulk operation adds OpenGrep SAST security scanning capability to all active repositories in the Zampfi organization (62 total). Each repository now contains:

  1. .github/workflows/opengrep-sast.yaml - A comprehensive 273-line security scanning workflow that runs on PRs and main branch pushes, using OpenGrep with multiple rule sets (typescript, python, java, go, etc.)
  2. .security-waivers.json - An empty waivers file for managing security exceptions when legitimate code triggers false positives

The workflow is designed to block merges when critical/high severity security issues are detected, with a waiver system for handling false positives. 50 PRs have been successfully created with 11-12 remaining due to technical issues.

Review & Testing Checklist for Human

🔴 HIGH RISK - 5 critical items to verify:

  • Test the security workflow end-to-end - Create a test PR with intentional security issues to confirm the workflow properly blocks merges and generates reports
  • Verify the waiver system functions - Add a test waiver to .security-waivers.json and confirm it properly excludes the specified issue from blocking
  • Check for systematic errors - Spot-check 3-5 PRs across different repository types to ensure files were added correctly and workflows are properly configured
  • Complete remaining repositories - Ensure the 11-12 repositories that failed to get PRs are properly addressed (see bulk_pr_results.json for exact list)
  • Validate development workflow impact - Confirm that legitimate development work can proceed normally and that security-scan failures don't create excessive friction

Recommended test plan:

  1. Pick 2-3 representative repositories and create test PRs with both clean code and intentional security issues
  2. Test the waiver process by adding a legitimate waiver and confirming it works
  3. Monitor developer feedback over the first few days after merge

Diagram

%%{ init : { "theme" : "default" }}%%
graph TD
    A["bulk_pr_automation.py"]:::major-edit --> B[".github/workflows/opengrep-sast.yaml"]:::major-edit
    A --> C[".security-waivers.json"]:::major-edit
    A --> D["50+ Repository PRs"]:::major-edit
    
    B --> E["GitHub Actions Workflow"]:::context
    E --> F["OpenGrep Security Scan"]:::context
    F --> G["Security Report Generation"]:::context
    
    C --> H["Waiver Processing"]:::context
    H --> F
    
    D --> I["Expected: security-scan failures"]:::minor-edit
    D --> J["Some: pre-commit failures"]:::minor-edit
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit  
        L3[Context/No Edit]:::context
    end
    
    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF
Loading

Notes

  • Expected behavior: Most PRs show "security-scan" failures - this indicates the workflow is working correctly and finding legitimate security issues
  • Pre-commit issues: Some repositories (like pantheon) failed due to trailing whitespace in the source workflow file, which has been fixed
  • Source files: Both security files are sourced from /home/ubuntu/repos/herm-frontend/
  • Branch naming: All branches follow pattern devin/{timestamp}-add-security-files
  • Incomplete coverage: Technical issues with git_create_pr command prevented completion of all 62 repositories

Session details: Requested by shashvat@zamp.ai
Devin session: https://app.devin.ai/sessions/6b8a3486391f45e0b66ec32758e5f7da

@devin-ai-integration
Add OpenGrep SAST workflow and security waivers file
e03d78f 
- Add OpenGrep SAST security scanning workflow
- Add empty security waivers file for managing security exceptions
@devin-ai-integration devin-ai-integration bot requested a review from a team as a code owner August 8, 2025 14:08
@devin-ai-integration
Copy link
Author

devin-ai-integration bot commented Aug 8, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-actions
Copy link

github-actions bot commented Aug 8, 2025

🔴 Security Scan: Critical/High Issues Found

1 critical/high severity security issue(s) must be resolved before merging.

🚨 Blocking Issues

📥 Full report available in workflow artifacts: security-report
🛡️ To waive issues, follow the instructions in the security report

@devin-ai-integration
Copy link
Author

devin-ai-integration bot commented Aug 16, 2025

Closing due to inactivity for more than 7 days. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant