Add Semgrep static analysis workflow for create-github-app-token action detection (#101)

* Add Semgrep static analysis workflow and custom rules

Introduces a reusable Semgrep scanning workflow that runs on pull requests,
along with an initial custom rule to deny usage of actions/create-github-app-token
and a script to format findings as GitHub-flavored markdown PR comments.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: pin actions/checkout to v6.0.2 in semgrep workflow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* testing error on running

* fail semgrep on error

* fix semgrep rule

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* no redirect the error message

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.github/workflows/semgrep.yaml

@@ -0,0 +1,68 @@
+name: Semgrep static analysis
+on:
+  pull_request:
+jobs:
+  semgrep:
+    permissions:
+      contents: read
+      pull-requests: write
+    # User definable name of this GitHub Actions job.
+    name: semgrep-oss/scan
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: ubuntu-latest
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: semgrep/semgrep:1.152.0
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Fetch org-wide custom Semgrep rules from the central repository.
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: grafana/security-github-actions
+          ref: ${{ github.repository == 'grafana/security-github-actions' && (github.head_ref || github.ref_name) || '' }}
+          sparse-checkout: |
+            semgrep/custom-rules.yaml
+            semgrep/format-results.sh
+          path: security-github-actions
+      - id: semgrep
+        env:
+          GITHUB_REPOSITORY: ${{github.repository}}
+          GITHUB_BRANCH: ${{github.head_ref || github.ref_name}}
+        run: |
+          set +e
+          semgrep scan --error --json --config security-github-actions/semgrep/custom-rules.yaml > /tmp/semgrep-results.json
+          EXIT_CODE=$?
+          set -e
+          if [ $EXIT_CODE -eq 1 ]; then
+            echo "has_findings=true" >> "$GITHUB_OUTPUT"
+            {
+              echo 'SEMGREP_OUTPUT<<SEMGREP_EOF'
+              bash security-github-actions/semgrep/format-results.sh /tmp/semgrep-results.json
+              echo 'SEMGREP_EOF'
+            } >> "$GITHUB_ENV"
+          fi
+
+          if [ $EXIT_CODE -gt 1 ]; then
+            echo "::error::Semgrep run encounters an error"
+            cat /tmp/semgrep-results.json
+            exit 1
+          fi
+
+          HIGH_CRITICAL=$(jq '[.results[] | select(.extra.severity == "HIGH" or .extra.severity == "CRITICAL")] | length' /tmp/semgrep-results.json)
+          if [ "$HIGH_CRITICAL" -gt 0 ]; then
+            echo "has_high_critical=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - if: steps.semgrep.outputs.has_findings == 'true'
+        uses: int128/comment-action@66317511bc86c47bd51e03059040e8a460a167b8
+        with:
+          update-if-exists: recreate
+          post: |
+            ${{ env.SEMGREP_OUTPUT }}
+
+      - if: steps.semgrep.outputs.has_high_critical == 'true'
+        run: |
+          echo "::error::Semgrep found HIGH or CRITICAL severity findings."
+          exit 1

semgrep/custom-rules.yaml

@@ -0,0 +1,13 @@
+rules:
+  - id: deny-actions-create-github-app-token
+    patterns:
+      - pattern-regex: "uses:\\s*actions/create-github-app-token"
+    paths:
+      include:
+        - "*.yaml"
+        - "*.yml"
+    message: >
+      Do not use actions/create-github-app-token. Use the organization's
+      approved [alternative for generating GitHub App tokens](https://enghub.grafana-ops.net/docs/default/component/deployment-tools/platform/vault/github-app-token-broker-migration-guide/).
+    languages: [generic]
+    severity: LOW

semgrep/format-results.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Format semgrep JSON results into a GitHub-flavored markdown comment.
+set -euo pipefail
+
+INPUT_FILE="$1"
+
+RESULTS_COUNT=$(jq '.results | length' "$INPUT_FILE")
+
+if [ "$RESULTS_COUNT" -eq 0 ]; then
+  exit 0
+fi
+
+echo "## Semgrep Findings"
+echo ""
+echo "**${RESULTS_COUNT}** finding(s) detected."
+echo ""
+echo "| Severity | Rule | File | Message |"
+echo "|----------|------|------|---------|"
+
+jq -r --arg repo "$GITHUB_REPOSITORY" --arg sha "$GITHUB_SHA" '.results[] | {
+  sev: .extra.severity,
+  rule: (.check_id | split(".")[-1]),
+  path: .path,
+  line: .start.line,
+  msg: (.extra.message | gsub("\n"; " ") | ltrimstr(" ") | rtrimstr(" ") | gsub("\\|"; "\\|") | gsub("`"; "\\`"))
+} | {
+  icon: (if .sev == "CRITICAL" then "🔴"
+         elif .sev == "HIGH" then "🟠"
+         elif .sev == "MEDIUM" then "🟡"
+         elif .sev == "LOW" then "🔵"
+         elif .sev == "INFO" then "⚪"
+         else "⚪" end),
+  sev: .sev,
+  rule: .rule,
+  path: .path,
+  line: .line,
+  msg: .msg
+} | "| \(.icon) \(.sev) | `\(.rule)` | [`\(.path):\(.line)`](https://github.com/\($repo)/blob/\($sha)/\(.path)#L\(.line)) | \(.msg) |"' "$INPUT_FILE"