sbassett added a comment.
In T292110#7571382 <https://phabricator.wikimedia.org/T292110#7571382>, @Michaelcochez wrote: > I have now added gokart. The github action was not working out of the box, because of some missing configuration parameters in the example. I opened a pull request for that. Great. > Then, I also added nancy to scan packages and enabled Dependabot alerts. Great. > It seems I cannot configure semgrep as a github action, and I am uncomfortable giving the website access to my github account. Yes, I wouldn't set up any version of semgrep that depended upon semgrep.dev (or untrusted images) except for maybe talking to their registry. I think the worst case would be manually setting up a github action that uses a python image, installing semgrep via pip (or whatever) and then running the cli like: `semgrep --config=p/golang --metrics=off`. I believe this //should// just pull the golang policy from their registry and not report any pseudonymous feedback back to semgrep.dev. Anyhow, this is more a suggestion with both gosec and gokart running for SAST. And if any of these tools become too noisy, they can likely be disabled or further tweaked, especially if there are noisy rules. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
