https://github.com/deviant101/test-semgrep

https://github.com/deviant101/test-semgrep

Last synced: 24 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/deviant101/test-semgrep
• Owner: deviant101
• Created: 2025-12-02T17:58:38.000Z (6 months ago)
• Default Branch: master
• Last Pushed: 2025-12-02T19:08:40.000Z (6 months ago)
• Last Synced: 2025-12-05T18:31:54.799Z (6 months ago)
• Language: JavaScript
• Size: 14.6 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# SAST Demo App with Semgrep

This is a simple Node.js Express application with **intentional security vulnerabilities** for testing Static Application Security Testing (SAST) using Semgrep in a GitHub Actions pipeline.

## ⚠️ Warning

This application contains **intentional security vulnerabilities** for educational and testing purposes only. **DO NOT deploy this application in production!**

## Intentional Vulnerabilities

The app includes the following vulnerabilities that Semgrep should detect:

1. **SQL Injection** - User input directly concatenated into SQL query

2. **Command Injection** - User input passed to shell command

3. **Cross-Site Scripting (XSS)** - User input rendered in template without escaping

4. **Hardcoded Secrets** - API keys and passwords in source code

5. **Insecure Deserialization** - Using pickle.loads on user input

6. **Insecure Eval / Deserialization** - using `eval` on user input

## Project Structure

```

.

├── .github/

│   └── workflows/

│       └── sast.yml          # GitHub Actions workflow for Semgrep

├── app.js                      # Express application with vulnerabilities

├── package.json                # Node dependencies

└── README.md                  # This file

```

## GitHub Actions Pipeline

The pipeline (`.github/workflows/sast.yml`) will:

1. **Checkout** the repository code

2. **Set up Python** 3.11

3. **Install Semgrep** CLI tool

4. **Run Semgrep scan** with multiple rulesets:

   - `auto` - Automatic language detection

   - `p/security-audit` - Security-focused rules

   - `p/python` - Python-specific rules

5. **Display results** in the workflow logs

6. **Upload artifacts** (JSON and text reports)

7. **Upload SARIF** to GitHub Security tab (if available)

## Running Locally

### Install dependencies

```bash

pip install -r requirements.txt

pip install semgrep

```

### Run the app (for testing only)

```bash

python app.py

```

### Run Semgrep locally

```bash

# Basic scan

semgrep scan --config auto .

# Full security scan with output files

semgrep scan --config auto --config p/security-audit --config p/python --json --output results.json .

```

## Expected Semgrep Findings

When you run the pipeline, Semgrep should detect vulnerabilities like:

- `python.lang.security.audit.dangerous-subprocess-use`

- `python.flask.security.injection.sql-injection`

- `python.flask.security.injection.xss`

- `python.lang.security.deserialization.avoid-pickle`

- `generic.secrets.security.detected-generic-api-key`

## Usage

1. Push this code to a GitHub repository

2. The workflow will automatically run on push/PR to main/master

3. Check the "Actions" tab for results

4. Download artifacts from the workflow run

5. View security alerts in the "Security" tab (if SARIF upload succeeds)