Skip to content

feat(cicd): enforce cicd sast & package check#1147

Merged
aeppling merged 3 commits intodevelopfrom
fix/cicd-security-checks
Apr 21, 2026
Merged

feat(cicd): enforce cicd sast & package check#1147
aeppling merged 3 commits intodevelopfrom
fix/cicd-security-checks

Conversation

@aeppling
Copy link
Copy Markdown
Contributor

@aeppling aeppling commented Apr 10, 2026
edited
Loading

Summary

  • semgrep for sast check by yml rules
  • dependabot for package detection
  • update CICD doc
  • clippy -D unsafe_code hard fail

Test plan

  • YAML syntax validated (python3 yaml.safe_load) for all 3 files
  • Semgrep installed locally and ran against full codebase (10 rules, 0 parse errors)
  • Verified 8 ERROR findings on pre-existing code (baseline will filter in CI)
  • Verified 15 WARNING findings on pre-existing code (all legitimate)
  • Confirmed no false positives on new code (no .semgrep.yml or .github/ files flagged)
  • Push branch and verify semgrep job appears in GitHub Actions
  • Open PR to develop and confirm SEMGREP_BASELINE_REF filters pre-existing findings
  • Verify Dependabot starts creating PRs after merge (weekly schedule)

@aeppling
feat(cicd): enforce cicd sast & package check
4a22820 
- semgrep for sast check by yml rules
- dependabot for package detection
- update CICD doc
- clippy -D unsafe_code hard fail
@pszymkowiak pszymkowiak added effort-medium 1-2 jours, quelques fichiers enhancement New feature or request labels Apr 10, 2026
@pszymkowiak
Copy link
Copy Markdown
Collaborator

pszymkowiak commented Apr 10, 2026

[w] wshm · Automated triage by AI

📊 Automated PR Analysis
Type feature
🟡 Risk medium

Summary

Adds SAST (Static Application Security Testing) via Semgrep with custom rules tailored to the RTK project, configures Dependabot for weekly Cargo and GitHub Actions dependency updates, hardens the CI clippy step to hard-fail on unsafe code, and updates the CICD documentation to reflect the new pipeline stages.

Review Checklist

  • Tests present
  • Breaking change
  • Docs updated

Analyzed automatically by wshm · This is an automated analysis, not a human review.

@aeppling aeppling mentioned this pull request Apr 10, 2026
Closed
4 tasks
FlorianBruniaux
FlorianBruniaux approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@FlorianBruniaux FlorianBruniaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@aeppling aeppling merged commit 3bbbb49 into develop Apr 21, 2026
13 checks passed
@aeppling aeppling mentioned this pull request Apr 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FlorianBruniaux FlorianBruniaux FlorianBruniaux approved these changes

Assignees

No one assigned

Labels

effort-medium 1-2 jours, quelques fichiers enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aeppling @pszymkowiak @FlorianBruniaux