Use GitHub and GitHub Actions to manage and track role updates to your users on Semgrep Platform.
Honestly, I was bored!
Having just 2 roles, Admin and Member does not make sense. Because,
- Members cannot view the policy settings or access the playground
- Admin has just all the permissions on the platform
Beside these limitations, there are many other day to day usage problems. Having everyone as admin would be chaotic.
There is not audit log available. Changes are not tracked. So if anyone just goes around changing the policy board, its bad.
- Use GitHub Actions to automatically update roles
- Time based admin provision. Set a time until someone can be an admin
- Use Git revisions to know when a role was updated and who updated it.
- This definitely is not the best way. But I like writing some automations like this
- This was written with assumption that you have just one Semgrep organization. Incase you have multiple and want to track all of them, then you need to modify the folder structure to move each JSON inside an organization folder. There's an API call to get the org name from org ID (
GET /api/auth/users/{userId}/deployments)- I do not intend to write this now. If you need it, probably fork and make these changes. Feel free to contribute back!
- You cannout use
SEMGREP_APP_TOKENsadly. You will have to copy the JWT token from any API call from the Semgrep Platform- We can think about another automation with Selenium for this. But I'd honestly be happy if Semgrep folks just allow the using the regular token.
- Beyond happy if you just solve the role and audit log problem
- Make sure only select folks can run the GitHub workflows or set approvals for these
- Make sure to protect the branch where the data will be. So only a specific user can make changes to that branch and no one else
- Create a GitHub PAT with repo write and workflow permissions. Make sure this user is added to the bypass list of the protected branch. Its even better if this token is from a non human account.