vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-24 08:09:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): require OpenGrep SARIF artifacts

Browse Source
This commit is contained in:
Vincent Koc
2026-06-23 14:08:20 +08:00
committed by GitHub
parent a13e2b92b3
commit 0fed6402be
6 changed files with 111 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/opengrep-precise-full.yml vendored
View File

@@ -66,5 +66,5 @@ jobs:
with:
name: opengrep-full-sarif
path: .opengrep-out/precise.sarif
if-no-files-found: warn
if-no-files-found: error
retention-days: 30

2
.github/workflows/opengrep-precise.yml vendored
View File

@@ -97,5 +97,5 @@ jobs:
with:
name: opengrep-pr-diff-sarif
path: .opengrep-out/precise.sarif
if-no-files-found: warn
if-no-files-found: error
retention-days: 30

32
scripts/run-opengrep.sh
View File

@@ -61,11 +61,13 @@ PATHS_PASSED=0
SAW_DOUBLE_DASH=0
CHANGED_ONLY=0
FAIL_ON_FINDINGS=0
SARIF_OUTPUT=""
while (( $# > 0 )); do
case "$1" in
--sarif)
mkdir -p "$REPO_ROOT/.opengrep-out"
EXTRA_ARGS+=( "--sarif-output=$REPO_ROOT/.opengrep-out/$BUCKET.sarif" )
SARIF_OUTPUT="$REPO_ROOT/.opengrep-out/$BUCKET.sarif"
EXTRA_ARGS+=( "--sarif-output=$SARIF_OUTPUT" )
shift
;;
--json)
@@ -102,6 +104,31 @@ while (( $# > 0 )); do
esac
done
write_empty_sarif() {
local output="$1"
mkdir -p "$(dirname "$output")"
cat > "$output" <<'JSON'
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Opengrep OSS",
"informationUri": "https://opengrep.dev",
"semanticVersion": "1.22.0",
"rules": []
}
},
"results": []
}
]
}
JSON
}
cd "$REPO_ROOT"
if (( CHANGED_ONLY && PATHS_PASSED )); then
@@ -181,6 +208,9 @@ if (( PATHS_PASSED == 0 )); then
fi
if (( ${#SCAN_PATHS[@]} == 0 )); then
echo "→ No changed first-party paths for opengrep." >&2
if [[ -n "$SARIF_OUTPUT" ]]; then
write_empty_sarif "$SARIF_OUTPUT"
fi
exit 0
fi
else

1
src/scripts/test-projects.test.ts
View File

@@ -862,6 +862,7 @@ describe("test-projects args", () => {
"src/install-sh-version.test.ts",
"src/proxy-capture/store.sqlite.test.ts",
"test/scripts/android-version.test.ts",
"test/scripts/render-maturity-docs.test.ts",
"test/scripts/resolve-openclaw-ref.test.ts",
],
watchMode: false,

30
test/scripts/ci-workflow-guards.test.ts
View File

@@ -6,6 +6,8 @@ import { parse } from "yaml";
const CHECKOUT_V6 = "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10";
const CACHE_V5 = "actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae";
const UPLOAD_ARTIFACT_V7 = "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a";
const OPENGREP_PR_DIFF_WORKFLOW = ".github/workflows/opengrep-precise.yml";
const OPENGREP_FULL_WORKFLOW = ".github/workflows/opengrep-precise-full.yml";
function readCiWorkflow() {
return parse(readFileSync(".github/workflows/ci.yml", "utf8"));
@@ -104,6 +106,34 @@ describe("ci workflow guards", () => {
expect(findUnpinnedExternalActions()).toEqual([]);
});
it("fails OpenGrep SARIF artifact uploads when reports are missing", () => {
const cases = [
{
workflowPath: OPENGREP_PR_DIFF_WORKFLOW,
artifactName: "opengrep-pr-diff-sarif",
},
{
workflowPath: OPENGREP_FULL_WORKFLOW,
artifactName: "opengrep-full-sarif",
},
];
for (const item of cases) {
const workflow = parse(readFileSync(item.workflowPath, "utf8"));
const uploadStep = workflow.jobs.scan.steps.find(
(step) => step.name === "Upload SARIF as workflow artifact",
);
expect(uploadStep.if, item.workflowPath).toBe("always()");
expect(uploadStep.uses, item.workflowPath).toBe(UPLOAD_ARTIFACT_V7);
expect(uploadStep.with, item.workflowPath).toMatchObject({
name: item.artifactName,
path: ".opengrep-out/precise.sarif",
"if-no-files-found": "error",
});
}
});
it("runs real behavior proof from the trusted workflow revision", () => {
const workflow = readRealBehaviorProofWorkflow();
const source = readFileSync(".github/workflows/real-behavior-proof.yml", "utf8");

47
test/scripts/run-opengrep.test.ts
View File

@@ -68,6 +68,53 @@ describe("run-opengrep.sh", () => {
expect(args).toContain("security/opengrep/precise.yml");
});
it("writes empty SARIF when a changed scan has no first-party paths", () => {
const repo = createTempDir("openclaw-run-opengrep-empty-sarif-");
git(repo, "init", "-q");
git(repo, "config", "user.email", "test@example.com");
git(repo, "config", "user.name", "Test User");
copyRunOpengrepFiles(repo);
writeFile(path.join(repo, "security/opengrep/precise.yml"), "rules: []\n");
writeFile(path.join(repo, ".github/actions/ensure-base-commit/action.yml"), "name: ensure\n");
git(repo, "add", ".");
git(repo, "commit", "-qm", "initial");
fs.appendFileSync(path.join(repo, ".github/actions/ensure-base-commit/action.yml"), "# changed\n");
const argsPath = path.join(repo, "opengrep-args.txt");
const binDir = path.join(repo, "bin");
fs.mkdirSync(binDir);
writeFile(
path.join(binDir, "opengrep"),
[
"#!/usr/bin/env bash",
`printf '%s\\n' "$@" > ${JSON.stringify(argsPath)}`,
"exit 0",
"",
].join("\n"),
);
fs.chmodSync(path.join(binDir, "opengrep"), 0o755);
execFileSync("bash", ["scripts/run-opengrep.sh", "--changed", "--sarif", "--error"], {
cwd: repo,
env: {
...process.env,
PATH: `${binDir}${path.delimiter}${process.env.PATH ?? ""}`,
OPENCLAW_OPENGREP_BASE_REF: "HEAD",
},
encoding: "utf8",
});
const sarif = JSON.parse(
fs.readFileSync(path.join(repo, ".opengrep-out/precise.sarif"), "utf8"),
);
expect(sarif.version).toBe("2.1.0");
expect(sarif.runs[0].tool.driver.name).toBe("Opengrep OSS");
expect(sarif.runs[0].tool.driver.semanticVersion).toBe("1.22.0");
expect(sarif.runs[0].results).toEqual([]);
expect(fs.existsSync(argsPath)).toBe(false);
});
it("scans PR files instead of main-only files when the payload base is stale", () => {
const repo = createTempDir("openclaw-run-opengrep-merge-");
git(repo, "init", "-q", "--initial-branch=main");