add id fix #6
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OpenGrep Scanner | |
| permissions: | |
| contents: read | |
| security-events: write | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - dev | |
| - sast | |
| pull_request: | |
| jobs: | |
| opengrep-scan: | |
| name: Use OpenGrep | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install OpenGrep | |
| run: | | |
| curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash | |
| /home/runner/.opengrep/cli/latest/opengrep --version | |
| - name: Scan with OpenGrep | |
| run: | | |
| /home/runner/.opengrep/cli/latest/opengrep --config=r/all --sarif-output=opengrep-results.sarif --verbose . | |
| - name: Fix SARIF for GitHub compatibility | |
| run: | | |
| python3 << 'EOF' | |
| import json | |
| import hashlib | |
| # Load SARIF file | |
| with open('opengrep-results.sarif', 'r') as f: | |
| sarif = json.load(f) | |
| # Map text severity to numeric values | |
| severity_map = { | |
| 'CRITICAL': '9.0', | |
| 'HIGH': '7.0', | |
| 'MEDIUM': '5.0', | |
| 'LOW': '3.0', | |
| 'WARNING': '5.0', | |
| 'ERROR': '7.0', | |
| 'INFO': '1.0', | |
| 'NOTE': '1.0' | |
| } | |
| # Process each run | |
| for run in sarif.get('runs', []): | |
| # Fix rule IDs and security-severity | |
| for rule in run.get('tool', {}).get('driver', {}).get('rules', []): | |
| # Truncate or hash long rule IDs | |
| if 'id' in rule and len(rule['id']) > 255: | |
| original_id = rule['id'] | |
| # Keep first 200 chars and add hash of full ID | |
| hash_suffix = hashlib.sha256(original_id.encode()).hexdigest()[:8] | |
| rule['id'] = original_id[:200] + '...' + hash_suffix | |
| # Store original in properties for reference | |
| if 'properties' not in rule: | |
| rule['properties'] = {} | |
| rule['properties']['original-rule-id'] = original_id | |
| # Fix security-severity values | |
| if 'properties' in rule and 'security-severity' in rule['properties']: | |
| severity = rule['properties']['security-severity'] | |
| if isinstance(severity, str) and severity.upper() in severity_map: | |
| rule['properties']['security-severity'] = severity_map[severity.upper()] | |
| # Fix result ruleIds to match truncated rule IDs | |
| for result in run.get('results', []): | |
| if 'ruleId' in result and len(result['ruleId']) > 255: | |
| original_id = result['ruleId'] | |
| hash_suffix = hashlib.sha256(original_id.encode()).hexdigest()[:8] | |
| result['ruleId'] = original_id[:200] + '...' + hash_suffix | |
| # Save fixed SARIF | |
| with open('opengrep-results.sarif', 'w') as f: | |
| json.dump(sarif, f, indent=2) | |
| print("✓ Fixed SARIF for GitHub compatibility") | |
| EOF | |
| - name: Upload OpenGrep scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: "opengrep-results.sarif" |