Merge pull request #9 from EO-DataHub/semgrep

figi44 · web-flow · commit 5fef4bfd11df · 2025-10-16T15:25:49.000+02:00
Replace Bandit with Semgrep
diff --git a/.github/workflows/pre-commit-go.yaml b/.github/workflows/pre-commit-go.yaml
@@ -1,6 +1,6 @@
 name: pre-commit
 
-on: [pull_request, workflow_call]
+on: [workflow_call]
 
 jobs:
   pre-commit:
diff --git a/.github/workflows/pre-commit-node.yaml b/.github/workflows/pre-commit-node.yaml
@@ -1,6 +1,6 @@
 name: pre-commit
 
-on: [pull_request, workflow_call]
+on: [workflow_call]
 
 jobs:
   pre-commit:
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -1,6 +1,6 @@
 name: pre-commit
 
-on: [pull_request, workflow_call]
+on: [workflow_call]
 
 jobs:
   pre-commit:
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -4,26 +4,20 @@ on:
   workflow_call:
     inputs:
       ENABLE_BANDIT:
-        description: 'Enable the Bandit scanner - useful for Python only'
+        description: 'Enable the Bandit scanner - useful for Python only (deprecated, use ENABLE_SAST)'
+        default: true
+        type: boolean
+      ENABLE_SAST:
+        description: 'Enable SAST scanning with Semgrep'
         default: true
         type: boolean
 jobs:
-  build:
-    name: Check for vulnerabilities
-    runs-on: ubuntu-24.04
+  trivy:
+    name: Trivy scan
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Security check - Bandit
-        uses: mdegis/bandit-action@v1.0.1
-        if: ${{ inputs.ENABLE_BANDIT }}
-        with:
-          path: "."
-          level: high
-          confidence: high
-          skips: B101
-
+        uses: actions/checkout@v5
 
       - name: Write Trivy config file
         run: |
@@ -47,3 +41,14 @@ jobs:
           severity: 'MEDIUM,CRITICAL,HIGH'
           exit-code: '1'
           trivy-config: 'trivy.conf'
+
+
+  semgrep:
+    name: Semgrep scan
+    runs-on: ubuntu-latest
+    if: ${{ inputs.ENABLE_BANDIT || inputs.ENABLE_SAST }}
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v5
+      - run: semgrep scan --config auto
diff --git a/.github/workflows/unit-tests-go.yaml b/.github/workflows/unit-tests-go.yaml
@@ -1,7 +1,6 @@
 name: Unit tests
 
 on:
-  pull_request:
   workflow_call:
 
 jobs:
diff --git a/.github/workflows/unit-tests-python.yaml b/.github/workflows/unit-tests-python.yaml
@@ -1,7 +1,6 @@
 name: Unit tests
 
 on:
-  pull_request:
   workflow_call:
     inputs:
       PYTHON_VERSION:
