mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 13:30:42 +00:00
6de9d71bfb
* feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted]
Stand up an end-to-end pipeline that turns every published openclaw GitHub
Security Advisory into a reusable OpenGrep rule, and wire the compiled rules
into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub
Code Scanning.
The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude
Code, Codex, OpenCode, or anything you can shell out to) can drive it via
the runner script's --harness flag. Built-in adapters cover the four common
harnesses; --harness-cmd '<template>' supports anything else with shell-style
{prompt}/{model}/{output_file} substitution.
Pipeline pieces:
- scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness
in parallel against every advisory using the agent-agnostic detector-review
spec at security/detector-review/detector-review-spec.md. Each case
produces an opengrep general-rule.yml (precise) and broad-rule.yml
(review-aid), plus a coverage-validated report against the vulnerable
commit's changed files.
- scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each
rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/
detector-bucket/source-rule-id metadata, and uses opengrep itself to drop
rules with InvalidRuleSchemaError so the published super-configs load
cleanly.
Compiled outputs:
- security/opengrep/precise.yml (336 rules)
- security/opengrep/broad.yml (459 rules)
- security/opengrep/compile-manifest.json (per-rule provenance map)
CI workflows (manual workflow_dispatch only):
- .github/workflows/opengrep-precise.yml
- .github/workflows/opengrep-broad.yml
Both install a pinned opengrep, run opengrep scan against src/, upload SARIF
to Code Scanning under categories opengrep-precise / opengrep-broad, and use
continue-on-error: true so findings never block the workflow.
Detector-review spec and assets:
- security/detector-review/detector-review-spec.md the agent-agnostic spec
the runner injects into each per-case prompt
- security/detector-review/references/{detector-rubric,report-template}.md
- security/detector-review/scripts/init_case.py
- security/prompt-suffix-coverage-first.md mandatory prompt addendum that
enforces coverage-first validation (rule must catch the OG vuln, not just
pass synthetic fixtures)
Docs:
- security/README.md end-to-end flow, supported harnesses, regen recipe
- security/opengrep/README.md compiled-config details + recompile recipe
* security: tighten GHSA OpenGrep detector workflow
* chore: refine precise opengrep workflow
* chore: remove stale opengrep metadata
* fix: harden GHSA OpenGrep workflow
* ci: split OpenGrep diff and full scans
* chore: remove performance-only opengrep rule
* ci: use OpenGrep installer path
* chore: enforce opengrep rule metadata provenance
* chore: generalize opengrep rule compilation
* docs: align opengrep rulepack guidance
* chore: support generic opengrep rule sources
* fix: validate opengrep rulepack-only changes
---------
Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>
96 lines
2.8 KiB
Plaintext
96 lines
2.8 KiB
Plaintext
# .semgrepignore — single source of truth for paths excluded from
|
|
# opengrep / semgrep scans run against this repo.
|
|
#
|
|
# Syntax: gitignore-style globs (https://git-scm.com/docs/gitignore).
|
|
# Consumed automatically by `opengrep scan` and `semgrep scan`. The compiled
|
|
# detector rulepacks under security/opengrep/ and the GitHub Actions workflows
|
|
# under .github/workflows/opengrep-*.yml all rely on this file rather than
|
|
# duplicating exclude lists in 50+ places.
|
|
#
|
|
# When adding a new test naming convention, fixture directory, or QA-tooling
|
|
# extension to the codebase, add its glob here so the security rulepacks
|
|
# stop firing on it. Real product code should never match anything in this
|
|
# file.
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Standard test file suffixes
|
|
# ----------------------------------------------------------------------------
|
|
*.test.*
|
|
*.spec.*
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Fixture & mock file suffixes (cover both .foo and -foo styles used in repo)
|
|
# ----------------------------------------------------------------------------
|
|
*.fixture.*
|
|
*-fixture.*
|
|
*-fixtures.*
|
|
*.mock.*
|
|
*-mock.*
|
|
*-mocks.*
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Test helper / harness / support / shared / utils naming conventions
|
|
# ----------------------------------------------------------------------------
|
|
*.test-helper.*
|
|
*.test-helpers.*
|
|
*-test-helpers.*
|
|
*.test-harness.*
|
|
*-test-harness.*
|
|
*.test-support.*
|
|
*-test-support.*
|
|
*.test-shared.*
|
|
*-test-shared.*
|
|
*.test-mocks.*
|
|
*-test-mocks.*
|
|
*.test-utils.*
|
|
*-test-utils.*
|
|
*.test-fixtures.*
|
|
*-test-fixtures.*
|
|
*.e2e-test-helpers.*
|
|
|
|
# Bare top-of-dir test helper files (e.g. extensions/foo/src/test-helpers.ts)
|
|
test-helper.*
|
|
test-helpers.*
|
|
test-harness.*
|
|
test-support.*
|
|
test-shared.*
|
|
test-utils.*
|
|
test-mocks.*
|
|
test-fixtures.*
|
|
test-fetch.*
|
|
test-manager-helpers.*
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Test / mock / fixture directories anywhere in the tree
|
|
# ----------------------------------------------------------------------------
|
|
__tests__/
|
|
__mocks__/
|
|
test/
|
|
tests/
|
|
test-fixtures/
|
|
test-fixture/
|
|
test-helpers/
|
|
test-utils/
|
|
test-support/
|
|
test-mocks/
|
|
test-harness/
|
|
fixtures/
|
|
mocks/
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# QA tooling — entire QA-only directories and extensions, not product code
|
|
# ----------------------------------------------------------------------------
|
|
qa/
|
|
qa-lab/
|
|
extensions/qa-*/
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Top-level scripts that drive tests rather than ship product behavior
|
|
# ----------------------------------------------------------------------------
|
|
scripts/test-*
|
|
scripts/run-vitest*
|
|
scripts/run-tests*
|
|
scripts/lib/test-*
|
|
scripts/lib/extension-test-*
|
|
scripts/lib/vitest-*
|