Add sigstore + gha-extras + pulumi-iac + go-canon Semgrep rule packs#10
Merged
Merged
Conversation
… packs
Promote the four custom Semgrep rule packs that have been baking on
simple-container-com/api (PR #261, 0 findings clean) into the shared
semgrep-scan ruleset so every consumer of the action picks them up.
Rule files (4 packs, 22 rules):
- sigstore.yml (6): cosign verify/verify-blob/verify-attestation must
set --certificate-identity + --certificate-oidc-issuer; reject
--insecure-ignore-{tlog,sct}; gh attestation verify requires
--owner/--repo scope; attest-build-provenance must pin subject-digest
on :latest / :staging tags; id-token: write disallowed on
pull_request_target / workflow_run triggers.
- gha-extras.yml (4): workflow-level env: must not reference
secrets.*; upload-artifact paths must not match .env / *.pem /
*.key / secrets/**; pull_request_target + checkout without
workflow_run-pinned ref is the canonical PPE vector; echo of any
TOKEN-named var into $GITHUB_ENV leaks across steps.
- pulumi-iac.yml (5): K8s pod with Privileged / HostNetwork / HostPID
/ hostPath; GCP bucket public ACL (allUsers / allAuthenticatedUsers)
or UBLA disabled; GCE VM with default SA + cloud-platform scope; AWS
SG ingress 0.0.0.0/0; IAM policy with Action / Resource = "*".
- go-canon.yml (7): bytes.Equal on MAC / signature variables (timing
side-channel); AEAD Seal with deterministic / zero nonce; JWT
ParseUnverified / SigningMethodNone / "alg":"none"; &http.Client{}
without Timeout; tls.Config MinVersion below 1.2; exec.Command +
Run/Output without setting cmd.Env (path file-excludes + trusted-CLI
metavariable filter so syft/trivy/cosign/git/kubectl etc. skip).
Scoping note: Semgrep YAML block-scalar metavariables (`$BODY` of a
`run: |` mapping) don't bind to block content, so the sigstore /
gha-extras rules use file-level pattern-regex + pattern-not-regex
pairs (with `languages: [generic]`) — a workflow that mixes safe and
unsafe usages on the same rule may not fire, which is acceptable for
CI hardening where one workflow exercises one consistent pattern.
Test harness:
- 4 new fixture files under semgrep-scan/tests/{.github/workflows,
pulumi,canon}, 60 new positive/negative test cases.
- run-tests.sh pairs table extended; full-repo scan still produces 0
findings on this repo.
- Go fixtures live in their own subdirectories with isolated package
names so per-file Semgrep scans don't collide with the existing
tests/go_cases.go declarations (pulumi.Bool, rds, etc.).
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Security Scan ResultsRepository:
Scanned at 2026-05-16 15:39 UTC |
Semgrep Scan ResultsRepository:
Scanned at 2026-05-16 15:39 UTC |
Cre-eD
added a commit
to simple-container-com/api
that referenced
this pull request
May 16, 2026
The 22 custom Semgrep rules (sigstore, gha-extras, pulumi-iac, go-canon) that lived in .semgrep/rules/ have been promoted to the shared ruleset at simple-container-com/actions/semgrep-scan/rules/ via simple-container-com/actions#10. Once that lands on the actions repo's `main` branch, the rules are picked up here automatically via the `@main` ref on the reusable workflow — no `consumer-rules:` input needed. Short coverage gap until actions#10 merges: the registry packs (p/ci, p/golang, p/gosec) keep running; only the SC-specific rules pause. Re-enable on the actions side as soon as #10 is merged. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes four custom Semgrep rule packs (22 rules total) from the API repo's local
.semgrep/rules/into the sharedsemgrep-scanruleset so every consumer of the action gets the coverage by default. Baked for ~3 weeks onsimple-container-com/api(PR #261) with 0 findings on a clean branch.sigstore.yml--insecure-ignore-*,gh attestation verify --owner/--repo, attest-build-provenance mutable tags, OIDCid-token: writeonpull_request_target/workflow_rungha-extras.ymlsecrets.*inenv:, upload-artifact of.env/*.pem/*.key/secrets/**,pull_request_target+ checkout without workflow_run-pinned ref,GITHUB_TOKENleak via$GITHUB_ENVpulumi-iac.ymlPrivileged/HostNetwork/HostPID/hostPath, GCP bucket public ACL or UBLA off, GCE default SA +cloud-platformscope, AWS SG0.0.0.0/0ingress, IAMAction/Resource: "*"go-canon.ymlsecurity-extendeddoesn't cover —bytes.Equalon MAC, deterministic AEAD nonce, JWTParseUnverified/None,&http.Client{}withoutTimeout,tls.Config{MinVersion: <1.2},exec.Commandwithoutcmd.EnvWhy now
These were drafted in the API repo first (per the standard ruleset-promotion flow: bake locally → consumer-rules → 0 findings → promote to shared) and have been clean on api for ~3 weeks. Moving them here means the next consumer that opts into
semgrep-scangets them for free instead of copy-pasting.semgrep/rules/into every repo.Implementation notes
languages: [generic]— Semgrep's YAML block-scalar metavariables ($BODYof arun: |mapping) don't bind to the block content in practice; switched to file-levelpattern-regex+pattern-not-regexpairs. Trade-off: a workflow that mixes safe and unsafe usages on the same rule may not fire. Acceptable for CI hardening, where one workflow exercises one consistent pattern.go-canon-exec-commandships a path-exclude list forpkg/security/{sbom,scan,tools}/**plus a trusted-CLI metavariable filter (git/stty/gh/cosign/syft/trivy/grype/kubectl/docker/pulumi/sc/welder) so legitimate scanner / git invocations don't FP.pulumi-aws-sg-open-ingressis regex-only (no AST alternative) — the AST shapeec2.SecurityGroupArgs{Ingress: ...}matched any ingress including restricted CIDRs, so it was dropped in favor of the preciseCidrBlocks: ... "0.0.0.0/0"regex.Test plan
semgrep-scan/run-tests.shextended with four new rule/fixture pairings:sigstore.yml↔tests/.github/workflows/sigstore-cases.yml(9 cases)gha-extras.yml↔tests/.github/workflows/gha-extras-cases.yml(7 cases)pulumi-iac.yml↔tests/pulumi/cases.go(18 cases)go-canon.yml↔tests/canon/cases.go(26 cases)Go fixtures live in their own subdirectories with isolated package names so per-file Semgrep scans don't collide with the existing
tests/go_cases.godeclarations (pulumi,rds,sdk,lo, …).Follow-up
After this merges, the consumer side (simple-container-com/api PR #261) drops its local
.semgrep/rules/and theconsumer-rulesinput — the shared ruleset covers it.