Skip to content

[Draft: Do Not Merge] Add Semgrep and Gradle dependency submission#33

Closed
nickorkes wants to merge 6 commits into
mainfrom
chore/github-native-security-scans
Closed

[Draft: Do Not Merge] Add Semgrep and Gradle dependency submission#33
nickorkes wants to merge 6 commits into
mainfrom
chore/github-native-security-scans

Conversation

@nickorkes

@nickorkes nickorkes commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Add a minimal CI security baseline by introducing Semgrep for pull request SAST and submitting the server's resolved Gradle dependency graph to GitHub.

Changes

  • add a Semgrep workflow that runs on pull requests targeting main
  • add a small helper under .github/scripts/ to generate the Semgrep PR comment, job summary, and report output
  • add a Gradle Dependency Submission workflow for server/ changes on main
  • add Dependabot updates for GitHub Actions workflow dependencies
  • pin the new workflow actions to immutable commit SHAs

Why

  • provide a code-level security check in CI for pull requests
  • make Semgrep results visible to reviewers directly on the pull request
  • ensure the Java server's resolved Gradle dependencies are visible to GitHub's dependency graph and Dependabot
  • keep the security workflow footprint small and maintainable without requiring GitHub Code Security

Impact

  • pull requests to main will now run a Semgrep check and post a Semgrep summary comment on the PR
  • Semgrep will upload a semgrep-results artifact for drill-down when needed
  • pushes to main that affect server/ will refresh the Gradle dependency graph for the Java service
  • GitHub Actions dependency pins in these workflows can be kept current via Dependabot

Follow-Up

  • repin existing release workflows to immutable SHAs
  • expand native GitHub security scanning if GitHub Code Security is enabled for the repository

@nickorkes nickorkes changed the title Add native GitHub security scanning workflows Add Semgrep and Gradle dependency submission Mar 27, 2026
@github-actions

github-actions Bot commented Mar 27, 2026

Copy link
Copy Markdown

Semgrep Results

  • Findings in changed files: 0
  • Changed files in pull request: 4
  • Baseline commit: 714c9873ce8b2188dac0422591035102f3594265
  • Status: no blocking findings

No Semgrep findings were introduced in the files changed by this pull request.

@nickorkes nickorkes changed the title Add Semgrep and Gradle dependency submission Draft: Add Semgrep and Gradle dependency submission Mar 30, 2026
@nickorkes nickorkes changed the title Draft: Add Semgrep and Gradle dependency submission [Draft: Do Not Merge] Add Semgrep and Gradle dependency submission Mar 30, 2026
@nickorkes nickorkes closed this Mar 30, 2026
@nickorkes nickorkes deleted the chore/github-native-security-scans branch March 30, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant