feat(ci): enable Semgrep

.github/workflows/security-scan.yml

@@ -24,7 +24,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run Zizmor scan
-        uses: open-edge-platform/anomalib/.github/actions/security/zizmor@c43e552e4178109c1e14ea6aa5f4e2ee03fdca3c
+        uses: open-edge-platform/geti-ci/actions/zizmor@353d464dd966cc07ce9c5109e70c12c17fb60942
         with:
           scan-scope: "all"
           severity-level: "LOW"
@@ -42,7 +42,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run Bandit scan
-        uses: open-edge-platform/anomalib/.github/actions/security/bandit@c43e552e4178109c1e14ea6aa5f4e2ee03fdca3c
+        uses: open-edge-platform/geti-ci/actions/bandit@353d464dd966cc07ce9c5109e70c12c17fb60942
         with:
           scan-scope: "all"
           severity-level: "LOW"
@@ -60,10 +60,9 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-
       - name: Run Trivy scan
         id: trivy
-        uses: open-edge-platform/anomalib/.github/actions/security/trivy@c43e552e4178109c1e14ea6aa5f4e2ee03fdca3c
+        uses: open-edge-platform/geti-ci/actions/trivy@353d464dd966cc07ce9c5109e70c12c17fb60942
         with:
           scan_type: "fs"
           scan-scope: all
@@ -72,3 +71,21 @@ jobs:
           format: "sarif"
           timeout: "15m"
           ignore_unfixed: "false"
+
+  semgrep-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Needed to upload the results to code-scanning dashboard
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: Run Semgrep scan
+        id: semgrep
+        uses: open-edge-platform/geti-ci/actions/semgrep@353d464dd966cc07ce9c5109e70c12c17fb60942
+        with:
+          scan-scope: "all"
+          severity: "LOW"
+          fail-on-findings: false # reports only

.github/workflows/test_precommit.yml

@@ -69,7 +69,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run Zizmor scan
-        uses: open-edge-platform/anomalib/.github/actions/security/zizmor@c43e552e4178109c1e14ea6aa5f4e2ee03fdca3c
+        uses: open-edge-platform/geti-ci/actions/zizmor@353d464dd966cc07ce9c5109e70c12c17fb60942
         with:
           scan-scope: "changed"
           severity-level: "LOW"
@@ -85,10 +85,26 @@ jobs:
         with:
           persist-credentials: false
       - name: Run Bandit scan
-        uses: open-edge-platform/anomalib/.github/actions/security/bandit@c43e552e4178109c1e14ea6aa5f4e2ee03fdca3c
+        uses: open-edge-platform/geti-ci/actions/bandit@353d464dd966cc07ce9c5109e70c12c17fb60942
         with:
           scan-scope: "changed"
           severity-level: "LOW"
           confidence-level: "LOW"
           config_file: "./pyproject.toml"
           fail-on-findings: true
+
+  Semgrep-Scan-PR:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: Run Bandit scan
+        uses: open-edge-platform/geti-ci/actions/semgrep@353d464dd966cc07ce9c5109e70c12c17fb60942
+        with:
+          scan-scope: "changed"
+          severity: "LOW"
+          fail-on-findings: true

CONTRIBUTING.md

@@ -74,6 +74,45 @@ Set up your development environment to start contributing. This involves install
 
    For more on signing commits, see [GitHub's guide on signing commits](https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/signing-commits).
 
+<details>
+<summary>Suppressing False Positives</summary>
+
+If necessary, to suppress _false_ positives from security scanning tools, add inline comment with specific syntax.
+Please also add a comment explaining _why_ you decided to disable a rule or provide a risk-acceptance reason.
+
+#### Bandit
+
+Findings can be ignored inline with `# nosec BXXX` comments.
+
+```python
+import subprocess # nosec B404 # this is actually fine
+```
+
+[Details](https://bandit.readthedocs.io/en/latest/config.html#exclusions) in Bandit docs.
+
+#### Zizmor
+
+Findings can be ignored inline with `# zizmor: ignore[rulename]` comments.
+
+```yaml
+uses: actions/checkout@v3 # zizmor: ignore[artipacked] this is actually fine
+```
+
+[Details](https://woodruffw.github.io/zizmor/usage/#with-comments) in Zizmor docs.
+
+#### Semgrep
+
+Findings can be ignored inline with `# nosemgrep: rule-id` comments.
+
+```python
+    # nosemgrep: python.lang.security.audit.dangerous-system-call.dangerous-system-call # this is actually fine
+    r = os.system(' '.join(command))
+```
+
+[Details](https://semgrep.dev/docs/ignoring-files-folders-code) in Semgrep docs.
+
+</details>
+
 ### Submitting Pull Requests
 
 Once you've followed the above steps and are satisfied with your changes: