Skip to content
OpenGrep Scanner

adds severity mapping #5

Sign in to view logs

adds severity mapping

adds severity mapping #5

Workflow file for this run

.github/workflows/opengrep.yaml at cb1df5b
name: OpenGrep Scanner
permissions:
contents: read
security-events: write
on:
push:
branches:
- main
- dev
- sast
pull_request:
jobs:
opengrep-scan:
name: Use OpenGrep
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install OpenGrep
run: |
curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash
/home/runner/.opengrep/cli/latest/opengrep --version
- name: Scan with OpenGrep
run: |
/home/runner/.opengrep/cli/latest/opengrep --config=r/all --sarif-output=opengrep-results.sarif --verbose .
- name: Fix SARIF severity values
run: |
python3 << 'EOF'
import json
# Load SARIF file
with open('opengrep-results.sarif', 'r') as f:
sarif = json.load(f)
# Map text severity to numeric values
severity_map = {
'CRITICAL': '9.0',
'HIGH': '7.0',
'MEDIUM': '5.0',
'LOW': '3.0',
'WARNING': '5.0',
'ERROR': '7.0',
'INFO': '1.0',
'NOTE': '1.0'
}
# Fix security-severity values
for run in sarif.get('runs', []):
for rule in run.get('tool', {}).get('driver', {}).get('rules', []):
if 'properties' in rule and 'security-severity' in rule['properties']:
severity = rule['properties']['security-severity']
if isinstance(severity, str) and severity.upper() in severity_map:
rule['properties']['security-severity'] = severity_map[severity.upper()]
# Save fixed SARIF
with open('opengrep-results.sarif', 'w') as f:
json.dump(sarif, f, indent=2)
print("✓ Fixed SARIF severity values")
EOF
- name: Upload OpenGrep scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "opengrep-results.sarif"