From 6b0509e499aab12d5c722a3e06edc9bb48386808 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:25:58 +0530 Subject: [PATCH 01/24] Create opengrepGA.yml --- templates/opengrepGA.yml | 44 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 templates/opengrepGA.yml diff --git a/templates/opengrepGA.yml b/templates/opengrepGA.yml new file mode 100644 index 0000000..dce6290 --- /dev/null +++ b/templates/opengrepGA.yml @@ -0,0 +1,44 @@ +name: OpenGrep PR Scan + +on: + pull_request: + paths-ignore: + - '**.md' + +jobs: + opengrep-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Fetch latest OpenGrep version + id: get-version + run: | + VERSION=$(curl -s https://api.github.com/repos/opengrep/opengrep/releases/latest | jq -r .tag_name) + echo "OPENGREP_VERSION=${VERSION#v}" >> $GITHUB_ENV + echo "VERSION_TAG=$VERSION" >> $GITHUB_OUTPUT + + - name: Download and install OpenGrep + run: | + curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" + chmod +x opengrep + sudo mv opengrep /usr/local/bin/opengrep + + - name: Set up Git for diff + run: | + git fetch origin ${{ github.base_ref }} --depth=1 + + - name: Get changed files + id: changed-files + run: | + FILES=$(git diff --name-only origin/${{ github.base_ref }}...${{ github.head_ref }} | tr '\n' ' ') + echo "FILES=$FILES" >> $GITHUB_OUTPUT + + - name: Run OpenGrep scan + if: steps.changed-files.outputs.FILES != '' + run: | + echo "Scanning changed files with OpenGrep..." + opengrep scan ${{ steps.changed-files.outputs.FILES }} + From f73b2db12daf906c5788e0fd9727ddd6165de693 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:27:29 +0530 Subject: [PATCH 02/24] Delete templates/opengrepGA.yml --- templates/opengrepGA.yml | 44 ---------------------------------------- 1 file changed, 44 deletions(-) delete mode 100644 templates/opengrepGA.yml diff --git a/templates/opengrepGA.yml b/templates/opengrepGA.yml deleted file mode 100644 index dce6290..0000000 --- a/templates/opengrepGA.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: OpenGrep PR Scan - -on: - pull_request: - paths-ignore: - - '**.md' - -jobs: - opengrep-scan: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Fetch latest OpenGrep version - id: get-version - run: | - VERSION=$(curl -s https://api.github.com/repos/opengrep/opengrep/releases/latest | jq -r .tag_name) - echo "OPENGREP_VERSION=${VERSION#v}" >> $GITHUB_ENV - echo "VERSION_TAG=$VERSION" >> $GITHUB_OUTPUT - - - name: Download and install OpenGrep - run: | - curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" - chmod +x opengrep - sudo mv opengrep /usr/local/bin/opengrep - - - name: Set up Git for diff - run: | - git fetch origin ${{ github.base_ref }} --depth=1 - - - name: Get changed files - id: changed-files - run: | - FILES=$(git diff --name-only origin/${{ github.base_ref }}...${{ github.head_ref }} | tr '\n' ' ') - echo "FILES=$FILES" >> $GITHUB_OUTPUT - - - name: Run OpenGrep scan - if: steps.changed-files.outputs.FILES != '' - run: | - echo "Scanning changed files with OpenGrep..." - opengrep scan ${{ steps.changed-files.outputs.FILES }} - From c2aef6bacfcb4a7f63bb6c58b7a1f3d0bfe8fd6f Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:28:08 +0530 Subject: [PATCH 03/24] Create opengrepGA.yml --- .github/workflows/opengrepGA.yml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/opengrepGA.yml diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml new file mode 100644 index 0000000..dce6290 --- /dev/null +++ b/.github/workflows/opengrepGA.yml @@ -0,0 +1,44 @@ +name: OpenGrep PR Scan + +on: + pull_request: + paths-ignore: + - '**.md' + +jobs: + opengrep-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Fetch latest OpenGrep version + id: get-version + run: | + VERSION=$(curl -s https://api.github.com/repos/opengrep/opengrep/releases/latest | jq -r .tag_name) + echo "OPENGREP_VERSION=${VERSION#v}" >> $GITHUB_ENV + echo "VERSION_TAG=$VERSION" >> $GITHUB_OUTPUT + + - name: Download and install OpenGrep + run: | + curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" + chmod +x opengrep + sudo mv opengrep /usr/local/bin/opengrep + + - name: Set up Git for diff + run: | + git fetch origin ${{ github.base_ref }} --depth=1 + + - name: Get changed files + id: changed-files + run: | + FILES=$(git diff --name-only origin/${{ github.base_ref }}...${{ github.head_ref }} | tr '\n' ' ') + echo "FILES=$FILES" >> $GITHUB_OUTPUT + + - name: Run OpenGrep scan + if: steps.changed-files.outputs.FILES != '' + run: | + echo "Scanning changed files with OpenGrep..." + opengrep scan ${{ steps.changed-files.outputs.FILES }} + From 02c1310bc1c09808bc69b7c0809dc25656002209 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:30:38 +0530 Subject: [PATCH 04/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index dce6290..decf9b9 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -12,33 +12,35 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + fetch-depth: 0 # Important to allow full history for diff - - name: Fetch latest OpenGrep version + - name: Fetch all branches + run: | + git fetch origin ${{ github.base_ref }} ${{ github.head_ref }} + + - name: Get latest OpenGrep version id: get-version run: | VERSION=$(curl -s https://api.github.com/repos/opengrep/opengrep/releases/latest | jq -r .tag_name) - echo "OPENGREP_VERSION=${VERSION#v}" >> $GITHUB_ENV echo "VERSION_TAG=$VERSION" >> $GITHUB_OUTPUT - - name: Download and install OpenGrep + - name: Download and install latest OpenGrep run: | curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" chmod +x opengrep sudo mv opengrep /usr/local/bin/opengrep - - name: Set up Git for diff - run: | - git fetch origin ${{ github.base_ref }} --depth=1 - - - name: Get changed files + - name: Get changed files in PR id: changed-files run: | - FILES=$(git diff --name-only origin/${{ github.base_ref }}...${{ github.head_ref }} | tr '\n' ' ') + FILES=$(git diff --name-only origin/${{ github.base_ref }}...origin/${{ github.head_ref }} | tr '\n' ' ') echo "FILES=$FILES" >> $GITHUB_OUTPUT + echo "Changed files: $FILES" - - name: Run OpenGrep scan + - name: Run OpenGrep on changed files if: steps.changed-files.outputs.FILES != '' run: | - echo "Scanning changed files with OpenGrep..." + echo "Scanning only changed files..." opengrep scan ${{ steps.changed-files.outputs.FILES }} From 2c77c7207ec831cbaf8297b6d9ee08c57e056ef9 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:39:51 +0530 Subject: [PATCH 05/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index decf9b9..4063606 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -42,5 +42,5 @@ jobs: if: steps.changed-files.outputs.FILES != '' run: | echo "Scanning only changed files..." - opengrep scan ${{ steps.changed-files.outputs.FILES }} + opengrep ci From b63fb6e0e320cdbaf9660a3aeae4102e8f72f7aa Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:40:51 +0530 Subject: [PATCH 06/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 4063606..acc22c7 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -42,5 +42,5 @@ jobs: if: steps.changed-files.outputs.FILES != '' run: | echo "Scanning only changed files..." - opengrep ci + opengrep ci --help From c761c7b9b3f73793e8ee36bbb28a2888465bd499 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:43:22 +0530 Subject: [PATCH 07/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index acc22c7..91692dc 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -42,5 +42,5 @@ jobs: if: steps.changed-files.outputs.FILES != '' run: | echo "Scanning only changed files..." - opengrep ci --help + opengrep --version From f0e667e0c7b58613f1bd76ad7a5496d0e4094ef6 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:46:47 +0530 Subject: [PATCH 08/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 91692dc..54c1f16 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -27,7 +27,7 @@ jobs: - name: Download and install latest OpenGrep run: | - curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" + curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep_manylinux_x86" chmod +x opengrep sudo mv opengrep /usr/local/bin/opengrep From 6f1e88820232ef2bb0506da66f58865cfac3e2c1 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:47:33 +0530 Subject: [PATCH 09/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 54c1f16..e183723 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -42,5 +42,5 @@ jobs: if: steps.changed-files.outputs.FILES != '' run: | echo "Scanning only changed files..." - opengrep --version + opengrep ci From 4c336e14fff586b9019fd02de94403077ef8fd5e Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:50:30 +0530 Subject: [PATCH 10/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index e183723..7552aab 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -42,5 +42,5 @@ jobs: if: steps.changed-files.outputs.FILES != '' run: | echo "Scanning only changed files..." - opengrep ci + opengrep scan --metrics=auto opengrep scan --metrics=auto From e7eb5552b916ef17721ed3fd724aedccd0cc7228 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:52:48 +0530 Subject: [PATCH 11/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 7552aab..2e674ff 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -42,5 +42,5 @@ jobs: if: steps.changed-files.outputs.FILES != '' run: | echo "Scanning only changed files..." - opengrep scan --metrics=auto opengrep scan --metrics=auto + opengrep scan --metrics=auto ${{ steps.changed-files.outputs.FILES }} From 0d5a6e50cfa78c5829e2dec96dc774e87f0295f1 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 16:54:37 +0530 Subject: [PATCH 12/24] Update routes.py --- routes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes.py b/routes.py index f17ac35..871915a 100644 --- a/routes.py +++ b/routes.py @@ -19,7 +19,7 @@ def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] - hashed_password = hash_password(password) # Hash the password before checking + hashed_password = hash_password(password) # Hash the password before checking test db = get_db() @@ -176,4 +176,4 @@ def rce(): flash("Please enter a valid URL.", "warning") return render_template('rce.html', output=output, error=error) - \ No newline at end of file + From 079d091d76f8d8961f2321e1f07cc588e52279a8 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:04:16 +0530 Subject: [PATCH 13/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 45 +++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 2e674ff..5fc76b3 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -13,9 +13,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - fetch-depth: 0 # Important to allow full history for diff + fetch-depth: 0 - - name: Fetch all branches + - name: Fetch base and head branches run: | git fetch origin ${{ github.base_ref }} ${{ github.head_ref }} @@ -25,22 +25,49 @@ jobs: VERSION=$(curl -s https://api.github.com/repos/opengrep/opengrep/releases/latest | jq -r .tag_name) echo "VERSION_TAG=$VERSION" >> $GITHUB_OUTPUT - - name: Download and install latest OpenGrep + - name: Download and install OpenGrep run: | - curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep_manylinux_x86" + curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" chmod +x opengrep sudo mv opengrep /usr/local/bin/opengrep - - name: Get changed files in PR + - name: Get changed files id: changed-files run: | FILES=$(git diff --name-only origin/${{ github.base_ref }}...origin/${{ github.head_ref }} | tr '\n' ' ') echo "FILES=$FILES" >> $GITHUB_OUTPUT echo "Changed files: $FILES" - - name: Run OpenGrep on changed files - if: steps.changed-files.outputs.FILES != '' + - name: Get line-level changes per file + id: diff-lines run: | - echo "Scanning only changed files..." - opengrep scan --metrics=auto ${{ steps.changed-files.outputs.FILES }} + echo "{}" > changed_lines.json + for file in $(git diff --name-only origin/${{ github.base_ref }}...origin/${{ github.head_ref }}); do + lines=$(git diff -U0 origin/${{ github.base_ref }}...origin/${{ github.head_ref }} -- "$file" | \ + grep '^@@' | sed -nE 's/^@@ \+([0-9]+)(,[0-9]+)? .*/\1/p' | tr '\n' ' ') + if [ ! -z "$lines" ]; then + jq --arg file "$file" --argjson lines "$(echo $lines | jq -R 'split(" ") | map(tonumber)')" \ + '. + {($file): $lines}' changed_lines.json > tmp.json && mv tmp.json changed_lines.json + fi + done + echo "Changed lines by file:" + cat changed_lines.json + + - name: Run OpenGrep scan and output to JSON + run: | + opengrep scan --metrics=auto --format=json ${{ steps.changed-files.outputs.FILES }} > findings.json + + - name: Filter findings to only changed lines + run: | + echo "[]" > relevant_findings.json + jq -c '.[]' findings.json | while read -r finding; do + file=$(echo "$finding" | jq -r '.file') + line=$(echo "$finding" | jq -r '.line') + if jq -e --arg file "$file" --argjson line "$line" \ + 'has($file) and (.[$file] | index($line))' changed_lines.json > /dev/null; then + jq -n "$finding" >> relevant_findings.json + fi + done + echo "Relevant findings:" + cat relevant_findings.json || echo "✅ No relevant issues in changed lines." From 5ac8c1bb0042d5c0a498415c0288ab5ff3940fd4 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:11:53 +0530 Subject: [PATCH 14/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 5fc76b3..e7e62aa 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -55,7 +55,7 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan --metrics=auto --format=json ${{ steps.changed-files.outputs.FILES }} > findings.json + opengrep scan --json-output=findings.json --metrics=auto ${{ steps.changed-files.outputs.FILES }} - name: Filter findings to only changed lines run: | From 42e09d5d5b9f168e35e8dd6eadcc8182e3f18936 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:15:05 +0530 Subject: [PATCH 15/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index e7e62aa..948301e 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -55,7 +55,7 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan --json-output=findings.json --metrics=auto ${{ steps.changed-files.outputs.FILES }} + opengrep scan --json-output=findings.json --metrics=auto ${{ steps.changed-files.outputs.FILES }} - name: Filter findings to only changed lines run: | From 41a41b20909f9bdfabe5ead5dbd190ca0bcb5094 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:15:52 +0530 Subject: [PATCH 16/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 948301e..9702e7e 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -55,7 +55,7 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan --json-output=findings.json --metrics=auto ${{ steps.changed-files.outputs.FILES }} + opengrep scan --json-output=findings.json --help - name: Filter findings to only changed lines run: | From b0254ee7d6b77309fd0cb8c25882ee9ebba6af57 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:16:37 +0530 Subject: [PATCH 17/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 9702e7e..96b1441 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -55,7 +55,7 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan --json-output=findings.json --help + opengrep scan --help - name: Filter findings to only changed lines run: | From 9feb3d13fc1f87d2bfee072700df297f15c7ac1a Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:17:37 +0530 Subject: [PATCH 18/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 96b1441..301055e 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -55,7 +55,7 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan --help + opengrep scan -h - name: Filter findings to only changed lines run: | From ddef2100c0704c9d7af9c94b899857db808c0fa4 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:19:36 +0530 Subject: [PATCH 19/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 301055e..e41c3b7 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -27,7 +27,7 @@ jobs: - name: Download and install OpenGrep run: | - curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep-linux-x86_64" + curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${{ steps.get-version.outputs.VERSION_TAG }}/opengrep_manylinux_x86" chmod +x opengrep sudo mv opengrep /usr/local/bin/opengrep @@ -55,7 +55,8 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan -h + opengrep scan --json-output=findings.json --metrics=auto db.py + cat findings.json - name: Filter findings to only changed lines run: | From 9bf29be08c4d10a2defe2ff99898df91ad7c74f2 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:23:37 +0530 Subject: [PATCH 20/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index e41c3b7..c1d652a 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -43,16 +43,21 @@ jobs: run: | echo "{}" > changed_lines.json for file in $(git diff --name-only origin/${{ github.base_ref }}...origin/${{ github.head_ref }}); do - lines=$(git diff -U0 origin/${{ github.base_ref }}...origin/${{ github.head_ref }} -- "$file" | \ - grep '^@@' | sed -nE 's/^@@ \+([0-9]+)(,[0-9]+)? .*/\1/p' | tr '\n' ' ') - if [ ! -z "$lines" ]; then - jq --arg file "$file" --argjson lines "$(echo $lines | jq -R 'split(" ") | map(tonumber)')" \ + mapfile -t lines < <(git diff -U0 origin/${{ github.base_ref }}...origin/${{ github.head_ref }} -- "$file" | \ + grep '^@@' | sed -nE 's/^@@ \+([0-9]+)(?:,([0-9]+))? @@.*/\1 \2/p' | awk '{ count = ($2 == "") ? 1 : $2; for(i = 0; i < count; i++) print $1 + i }') + if [ ${#lines[@]} -gt 0 ]; then + jq --arg file "$file" --argjson lines "$(printf '%s\n' "${lines[@]}" | jq -s '.')" \ '. + {($file): $lines}' changed_lines.json > tmp.json && mv tmp.json changed_lines.json fi done echo "Changed lines by file:" cat changed_lines.json + - name: Debug changed lines + run: | + echo "Contents of changed_lines.json:" + cat changed_lines.json || echo "❌ File not found" + - name: Run OpenGrep scan and output to JSON run: | opengrep scan --json-output=findings.json --metrics=auto db.py @@ -61,9 +66,9 @@ jobs: - name: Filter findings to only changed lines run: | echo "[]" > relevant_findings.json - jq -c '.[]' findings.json | while read -r finding; do - file=$(echo "$finding" | jq -r '.file') - line=$(echo "$finding" | jq -r '.line') + jq -c '.results[]' findings.json | while read -r finding; do + file=$(echo "$finding" | jq -r '.path') + line=$(echo "$finding" | jq -r '.start.line') if jq -e --arg file "$file" --argjson line "$line" \ 'has($file) and (.[$file] | index($line))' changed_lines.json > /dev/null; then jq -n "$finding" >> relevant_findings.json From 925b1a28e743e66f43542249576d6e0664459d36 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:25:36 +0530 Subject: [PATCH 21/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index c1d652a..d17567e 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -39,17 +39,31 @@ jobs: echo "Changed files: $FILES" - name: Get line-level changes per file - id: diff-lines run: | echo "{}" > changed_lines.json + for file in $(git diff --name-only origin/${{ github.base_ref }}...origin/${{ github.head_ref }}); do - mapfile -t lines < <(git diff -U0 origin/${{ github.base_ref }}...origin/${{ github.head_ref }} -- "$file" | \ - grep '^@@' | sed -nE 's/^@@ \+([0-9]+)(?:,([0-9]+))? @@.*/\1 \2/p' | awk '{ count = ($2 == "") ? 1 : $2; for(i = 0; i < count; i++) print $1 + i }') + echo "Processing $file" + # Extract changed line ranges from unified diff headers (e.g., @@ +20,3 @@) + mapfile -t ranges < <(git diff -U0 origin/${{ github.base_ref }}...origin/${{ github.head_ref }} -- "$file" | grep '^@@' | grep -oP '\+\d+(,\d+)?' | sed 's/+//') + + # Convert to individual line numbers + lines=() + for range in "${ranges[@]}"; do + start=$(echo $range | cut -d',' -f1) + count=$(echo $range | cut -s -d',' -f2) + count=${count:-1} + for ((i=0; i<$count; i++)); do + lines+=($(($start + $i))) + done + done + if [ ${#lines[@]} -gt 0 ]; then jq --arg file "$file" --argjson lines "$(printf '%s\n' "${lines[@]}" | jq -s '.')" \ '. + {($file): $lines}' changed_lines.json > tmp.json && mv tmp.json changed_lines.json fi done + echo "Changed lines by file:" cat changed_lines.json From ba7b9c9b0c08beb6f140331a398e27fb18ba428c Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:29:16 +0530 Subject: [PATCH 22/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index d17567e..218385d 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -77,17 +77,20 @@ jobs: opengrep scan --json-output=findings.json --metrics=auto db.py cat findings.json - - name: Filter findings to only changed lines + - name: Filter findings to only changed lines run: | echo "[]" > relevant_findings.json + jq -c '.results[]' findings.json | while read -r finding; do - file=$(echo "$finding" | jq -r '.path') + file=$(echo "$finding" | jq -r '.path' | sed 's|^\./||') # remove leading ./ if present line=$(echo "$finding" | jq -r '.start.line') + if jq -e --arg file "$file" --argjson line "$line" \ 'has($file) and (.[$file] | index($line))' changed_lines.json > /dev/null; then jq -n "$finding" >> relevant_findings.json fi done + echo "Relevant findings:" cat relevant_findings.json || echo "✅ No relevant issues in changed lines." From 7aa502af1de70ff26c325e713309dbb87e96fa57 Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:29:50 +0530 Subject: [PATCH 23/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 218385d..4600167 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -77,7 +77,7 @@ jobs: opengrep scan --json-output=findings.json --metrics=auto db.py cat findings.json - - name: Filter findings to only changed lines + - name: Filter findings to only changed lines run: | echo "[]" > relevant_findings.json From 42b5bcdafbf100dbfcca3d60e35efedec268812e Mon Sep 17 00:00:00 2001 From: Souradip Ghosh Date: Thu, 15 May 2025 17:30:59 +0530 Subject: [PATCH 24/24] Update opengrepGA.yml --- .github/workflows/opengrepGA.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrepGA.yml b/.github/workflows/opengrepGA.yml index 4600167..0815cec 100644 --- a/.github/workflows/opengrepGA.yml +++ b/.github/workflows/opengrepGA.yml @@ -74,7 +74,7 @@ jobs: - name: Run OpenGrep scan and output to JSON run: | - opengrep scan --json-output=findings.json --metrics=auto db.py + opengrep scan --json-output=findings.json --metrics=auto ${{ steps.changed-files.outputs.FILES }} cat findings.json - name: Filter findings to only changed lines