Skip to content

ci: add Semgrep SAST scanning on pull requests#99

Merged
Sayan- merged 1 commit intomainfrom
sayan/kernel-1191-finalize-scope-of-repos-under-elevated-vulnerability
Apr 29, 2026
Merged

ci: add Semgrep SAST scanning on pull requests#99
Sayan- merged 1 commit intomainfrom
sayan/kernel-1191-finalize-scope-of-repos-under-elevated-vulnerability

Conversation

@Sayan-
Copy link
Copy Markdown
Contributor

@Sayan- Sayan- commented Apr 29, 2026
edited by cursor Bot
Loading

Summary

Follow-up from the INC-51 postmortem (KERNEL-1191): the Kernel MCP vulnerability was missed in part because the MCP repo was not subscribed to the shared Semgrep workflow. Expanding the scope to the customer-facing SDKs so the same gap can't happen there.

This PR adds .github/workflows/semgrep.yml that calls the reusable workflow in kernel/security-workflows. Runs on every PR targeting `main` with the agent-powered triage flow already used in `kernel`, `kernel-images`, `cli`, `kernel-mcp-server`, etc.

Semgrep configs: `p/golang`, `p/trailofbits`.

Uses org-level secrets already provisioned for existing subscribers (`CURSOR_API_KEY`, `CURSOR_PREFERRED_MODEL`, `ADMIN_APP_ID`, `ADMIN_APP_PRIVATE_KEY`, `SOCKET_API_TOKEN`) via `secrets: inherit`.

Stainless caveat

This SDK is Stainless-generated. Stainless doesn't appear to manage arbitrary files under `.github/workflows/`, but if the next regeneration wipes this file, we'll need to either add it to the Stainless config or restore it via a post-generation step.

Test plan

  • CI runs on this PR itself (first scan of the repo). Verify the `Semgrep / scan` check appears and completes.
  • If findings are produced, confirm the triage agent posts comments as expected.

Made with Cursor

Note

Low Risk
Adds a CI workflow that runs Semgrep via a reusable workflow; low code risk but may affect PR CI duration/failures due to new security findings or workflow configuration.

Overview
Adds a new GitHub Actions workflow (.github/workflows/semgrep.yml) that runs Semgrep on every pull request to main by invoking the shared kernel/security-workflows reusable workflow.

The scan is configured with the p/golang and p/trailofbits rulesets, grants pull-requests: write to allow PR feedback, and inherits org secrets for the scan/triage flow.

Reviewed by Cursor Bugbot for commit c89089f. Bugbot is set up for automated code reviews on this repo. Configure here.

@Sayan-
ci: add Semgrep SAST scanning on pull requests
c89089f 
Subscribes this repo to the shared Semgrep workflow in
kernel/security-workflows as part of expanding the elevated
vulnerability management scope to customer-facing SDKs
(KERNEL-1191, INC-51 follow-up).

Made-with: Cursor
@firetiger-agent
Copy link
Copy Markdown

firetiger-agent Bot commented Apr 29, 2026

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: This PR only adds CI/security scanning configuration (.github/workflows/semgrep.yml) and does not modify any kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

@Sayan- Sayan- requested a review from ulziibay-kernel April 29, 2026 17:59
@Sayan- Sayan- merged commit c8e2d72 into main Apr 29, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel ulziibay-kernel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sayan- @ulziibay-kernel