From e7be4cd7fa9eab1ed7dc0070ff8374423e112d08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20Minh=20Qu=C3=A2n?= <78531303+aleister1102@users.noreply.github.com> Date: Sat, 13 Dec 2025 01:31:22 +0700 Subject: [PATCH 1/8] Update CodeQL workflow for JavaScript analysis --- .github/workflows/codeql.yml | 87 ++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..159bf3168 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,87 @@ +name: "CodeQL - JavaScript (Advanced)" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '0 2 * * 3' # weekly on Wed 02:00 UTC + workflow_dispatch: + +jobs: + analyze: + name: Analyze (CodeQL, Node ${{ matrix.node }}) + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + packages: read + actions: read + + strategy: + fail-fast: false + matrix: + include: + - language: javascript-typescript + node: 18 + build-mode: manual + - language: javascript-typescript + node: 20 + build-mode: manual + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node }} + cache: 'npm' + + - name: Cache node modules + uses: actions/cache@v4 + with: + path: | + ~/.npm + node_modules + key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-node-${{ matrix.node }}- + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # Use built-in query packs plus extended security rules + queries: +security-extended, +security-and-quality + + - name: Build (manual) + if: ${{ matrix.build-mode == 'manual' }} + shell: bash + run: | + # Install dependencies and build the project so CodeQL can analyze compiled output + if [ -f package-lock.json ]; then + npm ci + else + npm install + fi + # Run the project's build (TypeScript -> lib) + if npm run | grep -q " build"; then + npm run build + fi + + - name: Autobuild (CodeQL) + uses: github/codeql-action/autobuild@v4 + env: + CI: true + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v4 + with: + # Optional: narrow category to help triage results in the dashboard + category: "language:javascript-typescript" From fc439e3c7de8a5256912d86458e092881c47c8b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20Minh=20Qu=C3=A2n?= <78531303+aleister1102@users.noreply.github.com> Date: Sat, 13 Dec 2025 01:34:07 +0700 Subject: [PATCH 2/8] Fix formatting issues in codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 159bf3168..ceb0d547f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,7 +58,7 @@ jobs: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} # Use built-in query packs plus extended security rules - queries: +security-extended, +security-and-quality + queries: security-extended,security-and-quality - name: Build (manual) if: ${{ matrix.build-mode == 'manual' }} From a53b09bd4d655f4ea5c691086b94525f8c747fba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20Minh=20Qu=C3=A2n?= <78531303+aleister1102@users.noreply.github.com> Date: Sat, 13 Dec 2025 01:38:31 +0700 Subject: [PATCH 3/8] Change CodeQL build mode from manual to none --- .github/workflows/codeql.yml | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ceb0d547f..204e30ea2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,10 +25,10 @@ jobs: include: - language: javascript-typescript node: 18 - build-mode: manual + build-mode: none - language: javascript-typescript node: 20 - build-mode: manual + build-mode: none steps: - name: Checkout repository @@ -52,6 +52,14 @@ jobs: restore-keys: | ${{ runner.os }}-node-${{ matrix.node }}- + - name: Install dependencies + run: | + if [ -f package-lock.json ]; then + npm ci + else + npm install + fi + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: @@ -60,21 +68,6 @@ jobs: # Use built-in query packs plus extended security rules queries: security-extended,security-and-quality - - name: Build (manual) - if: ${{ matrix.build-mode == 'manual' }} - shell: bash - run: | - # Install dependencies and build the project so CodeQL can analyze compiled output - if [ -f package-lock.json ]; then - npm ci - else - npm install - fi - # Run the project's build (TypeScript -> lib) - if npm run | grep -q " build"; then - npm run build - fi - - name: Autobuild (CodeQL) uses: github/codeql-action/autobuild@v4 env: From 67c77a4961eab12f97e1b0f41df4e5a2d953830e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20Minh=20Qu=C3=A2n?= <78531303+aleister1102@users.noreply.github.com> Date: Sat, 13 Dec 2025 01:44:30 +0700 Subject: [PATCH 4/8] Refactor Semgrep workflow for improved efficiency Updated Semgrep workflow to use native action and added caching for node modules. --- .github/workflows/semgrep.yml | 86 +++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 000000000..5799b8990 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,86 @@ +# Semgrep static analysis workflow for json-server +# NOTE: The legacy `returntocorp/semgrep-action` wrapper is deprecated. +# Consider migrating to the native semgrep action or CI integration documented at https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '30 3 * * 2' # weekly on Tue 03:30 UTC + workflow_dispatch: + +permissions: + contents: read + +jobs: + semgrep: + name: Semgrep scan + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js (for install steps) + uses: actions/setup-node@v4 + with: + node-version: 18 + cache: 'npm' + + - name: Cache node modules + uses: actions/cache@v4 + with: + path: | + ~/.npm + node_modules + key: ${{ runner.os }}-node-18-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-node-18- + + - name: Install dependencies + run: | + if [ -f package-lock.json ]; then + npm ci + else + npm install + fi + + - name: Run Semgrep scan + # The pinned commit from the example; consider migrating to native semgrep action + uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() + + - name: Upload Semgrep SARIF as artifact + uses: actions/upload-artifact@v4 + with: + name: semgrep-sarif + path: semgrep.sarif + if: always() + + - name: Post results summary (optional) + if: always() + run: | + if [ -f semgrep.sarif ]; then + echo "Semgrep scan completed and SARIF produced."; + else + echo "No SARIF produced by Semgrep."; + fi From 7a686f8a2439889d5ea56a480820686b6da3c929 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20Minh=20Qu=C3=A2n?= <78531303+aleister1102@users.noreply.github.com> Date: Sat, 13 Dec 2025 01:55:22 +0700 Subject: [PATCH 5/8] Delete .github/workflows/semgrep.yml --- .github/workflows/semgrep.yml | 86 ----------------------------------- 1 file changed, 86 deletions(-) delete mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 5799b8990..000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,86 +0,0 @@ -# Semgrep static analysis workflow for json-server -# NOTE: The legacy `returntocorp/semgrep-action` wrapper is deprecated. -# Consider migrating to the native semgrep action or CI integration documented at https://semgrep.dev/docs - -name: Semgrep - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '30 3 * * 2' # weekly on Tue 03:30 UTC - workflow_dispatch: - -permissions: - contents: read - -jobs: - semgrep: - name: Semgrep scan - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - actions: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup Node.js (for install steps) - uses: actions/setup-node@v4 - with: - node-version: 18 - cache: 'npm' - - - name: Cache node modules - uses: actions/cache@v4 - with: - path: | - ~/.npm - node_modules - key: ${{ runner.os }}-node-18-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }} - restore-keys: | - ${{ runner.os }}-node-18- - - - name: Install dependencies - run: | - if [ -f package-lock.json ]; then - npm ci - else - npm install - fi - - - name: Run Semgrep scan - # The pinned commit from the example; consider migrating to native semgrep action - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 - with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} - publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} - generateSarif: "1" - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: semgrep.sarif - if: always() - - - name: Upload Semgrep SARIF as artifact - uses: actions/upload-artifact@v4 - with: - name: semgrep-sarif - path: semgrep.sarif - if: always() - - - name: Post results summary (optional) - if: always() - run: | - if [ -f semgrep.sarif ]; then - echo "Semgrep scan completed and SARIF produced."; - else - echo "No SARIF produced by Semgrep."; - fi From 2cdcf709717f4be04ca70add1ffea70986cc38a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=AA=20Minh=20Qu=C3=A2n?= <78531303+aleister1102@users.noreply.github.com> Date: Sat, 13 Dec 2025 02:04:36 +0700 Subject: [PATCH 6/8] Enhance Semgrep workflow with Node.js setup Updated Semgrep workflow to include Node.js setup and caching. --- .github/workflows/semgrep.yml | 76 +++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 000000000..374a69c01 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,76 @@ +name: Semgrep + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '30 3 * * 2' # weekly on Tue 03:30 UTC + workflow_dispatch: + +permissions: + contents: read + +jobs: + semgrep: + name: Semgrep scan + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 18 + cache: 'npm' + + - name: Cache node modules + uses: actions/cache@v4 + with: + path: | + ~/.npm + node_modules + key: ${{ runner.os }}-node-18-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-node-18- + + - name: Install dependencies + run: | + if [ -f package-lock.json ]; then + npm ci + else + npm install + fi + + - name: Run Semgrep scan + uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF to GitHub Security tab + - name: Upload SARIF to security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + category: semgrep + if: always() + + # Keep SARIF as artifact for debugging + - name: Upload Semgrep SARIF as artifact + uses: actions/upload-artifact@v4 + with: + name: semgrep-sarif + path: semgrep.sarif + retention-days: 30 + if: always() From e86c6a6cccfc56a7924a22635ea3fff283c38f4a Mon Sep 17 00:00:00 2001 From: injoker Date: Sat, 13 Dec 2025 02:16:30 +0700 Subject: [PATCH 7/8] ci(workflow): add Python setup, install Semgrep via pip, generate SARIF --- .github/workflows/semgrep.yml | 56 ++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 374a69c01..d5d8d3f5e 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -50,27 +50,41 @@ jobs: else npm install fi + - name: Setup Python + uses: actions/setup-python@v4 + with: + python-version: '3.11' - - name: Run Semgrep scan - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 - with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} - publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} - generateSarif: "1" + - name: Install Semgrep + run: | + python -m pip install --upgrade pip + pip install semgrep - # Upload SARIF to GitHub Security tab - - name: Upload SARIF to security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: semgrep.sarif - category: semgrep - if: always() + - name: Run Semgrep scan (generate SARIF) + run: | + semgrep scan --sarif --output=semgrep.sarif --config=p/ci || true + continue-on-error: true - # Keep SARIF as artifact for debugging - - name: Upload Semgrep SARIF as artifact - uses: actions/upload-artifact@v4 - with: - name: semgrep-sarif - path: semgrep.sarif - retention-days: 30 - if: always() + - name: Run Semgrep CI (optional, reports to semgrep.dev) + if: ${{ secrets.SEMGREP_APP_TOKEN != '' }} + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + run: semgrep ci --config=p/ci || true + continue-on-error: true + + # Upload SARIF to GitHub Security tab (ensures results show in Security -> Code scanning) + - name: Upload SARIF to security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: semgrep.sarif + category: semgrep + if: always() + + # Keep SARIF as artifact for debugging + - name: Upload Semgrep SARIF as artifact + uses: actions/upload-artifact@v4 + with: + name: semgrep-sarif + path: semgrep.sarif + retention-days: 30 + if: always() From 60503a6c980185b84c9305c984c79e68c93e2218 Mon Sep 17 00:00:00 2001 From: injoker Date: Sat, 13 Dec 2025 02:21:42 +0700 Subject: [PATCH 8/8] chore: remove semgrep workflow --- .github/workflows/semgrep.yml | 90 ----------------------------------- 1 file changed, 90 deletions(-) delete mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index d5d8d3f5e..000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,90 +0,0 @@ -name: Semgrep - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '30 3 * * 2' # weekly on Tue 03:30 UTC - workflow_dispatch: - -permissions: - contents: read - -jobs: - semgrep: - name: Semgrep scan - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - actions: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 18 - cache: 'npm' - - - name: Cache node modules - uses: actions/cache@v4 - with: - path: | - ~/.npm - node_modules - key: ${{ runner.os }}-node-18-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }} - restore-keys: | - ${{ runner.os }}-node-18- - - - name: Install dependencies - run: | - if [ -f package-lock.json ]; then - npm ci - else - npm install - fi - - name: Setup Python - uses: actions/setup-python@v4 - with: - python-version: '3.11' - - - name: Install Semgrep - run: | - python -m pip install --upgrade pip - pip install semgrep - - - name: Run Semgrep scan (generate SARIF) - run: | - semgrep scan --sarif --output=semgrep.sarif --config=p/ci || true - continue-on-error: true - - - name: Run Semgrep CI (optional, reports to semgrep.dev) - if: ${{ secrets.SEMGREP_APP_TOKEN != '' }} - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - run: semgrep ci --config=p/ci || true - continue-on-error: true - - # Upload SARIF to GitHub Security tab (ensures results show in Security -> Code scanning) - - name: Upload SARIF to security tab - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: semgrep.sarif - category: semgrep - if: always() - - # Keep SARIF as artifact for debugging - - name: Upload Semgrep SARIF as artifact - uses: actions/upload-artifact@v4 - with: - name: semgrep-sarif - path: semgrep.sarif - retention-days: 30 - if: always()