Skip to content

ci: add Semgrep SAST scanning on pull requests#48

Merged
Sayan- merged 1 commit intomainfrom
sayan/kernel-1191-finalize-scope-of-repos-under-elevated-vulnerability
Apr 29, 2026
Merged

ci: add Semgrep SAST scanning on pull requests#48
Sayan- merged 1 commit intomainfrom
sayan/kernel-1191-finalize-scope-of-repos-under-elevated-vulnerability

Conversation

@Sayan-
Copy link
Copy Markdown
Contributor

@Sayan- Sayan- commented Apr 29, 2026
edited by cursor Bot
Loading

Summary

Follow-up from the INC-51 postmortem (KERNEL-1191): expanding the elevated vulnerability management scope to customer-facing tools. This CLI authenticates against the Hypeman/Unikraft Cloud API with user credentials so it qualifies.

This PR adds .github/workflows/semgrep.yml that calls the reusable workflow in kernel/security-workflows. Runs on every PR targeting `main` with the agent-powered triage flow already used across the other subscribed repos.

Semgrep configs: `p/golang`, `p/trailofbits`.

Uses org-level secrets already provisioned for existing subscribers (`CURSOR_API_KEY`, `CURSOR_PREFERRED_MODEL`, `ADMIN_APP_ID`, `ADMIN_APP_PRIVATE_KEY`, `SOCKET_API_TOKEN`) via `secrets: inherit`.

Test plan

  • CI runs on this PR itself (first scan of the repo). Verify the `Semgrep / scan` check appears and completes.
  • If findings are produced, confirm the triage agent posts comments as expected.

Made with Cursor

Note

Low Risk
Adds a new GitHub Actions workflow that runs a reusable Semgrep scan on PRs to main; no production code changes, with minimal risk aside from potential CI noise or new findings blocking merges.

Overview
Adds a new .github/workflows/semgrep.yml workflow that runs Semgrep SAST on every pull request targeting main via the reusable kernel/security-workflows pipeline.

The scan is configured with p/golang and p/trailofbits rules, grants pull-requests: write for automated commenting/triage, and uses secrets: inherit to access org-provided credentials.

Reviewed by Cursor Bugbot for commit 0c9646f. Bugbot is set up for automated code reviews on this repo. Configure here.

@Sayan-
ci: add Semgrep SAST scanning on pull requests
0c9646f 
Subscribes this repo to the shared Semgrep workflow in
kernel/security-workflows as part of expanding the elevated
vulnerability management scope to customer-facing SDKs
(KERNEL-1191, INC-51 follow-up).

Made-with: Cursor
@firetiger-agent
Copy link
Copy Markdown

firetiger-agent Bot commented Apr 29, 2026

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR only adds CI/security scanning configuration (.github/workflows/semgrep.yml), not changes to API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

@Sayan- Sayan- requested a review from ulziibay-kernel April 29, 2026 17:58
@Sayan- Sayan- merged commit 9af4440 into main Apr 29, 2026
7 checks passed
@Sayan- Sayan- deleted the sayan/kernel-1191-finalize-scope-of-repos-under-elevated-vulnerability branch April 29, 2026 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel ulziibay-kernel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sayan- @ulziibay-kernel