Remove self-managed Semgrep CI integrations#2

Merged

kirk-duo merged 1 commit into

security/remove-semgrep-ci-SEC-3379

May 22, 2026

kirk-duo commented May 22, 2026 •

edited

Loading

What

Removes the Semgrep CI job and custom rule file.

Why

The `semgrep` job in `ci.yml` pulls `semgrep/semgrep` with no pinned digest — unpinned Docker images in CI are a supply chain risk. Semgrep Platform handles scanning going forward.

The `.semgrep.yml` rules (12 rules: unsafe blocks, dynamic command execution, network access, path manipulation) are worth keeping. They're archived to `infra-security-tooling/scripts/rtk-semgrep-rules.yml` and are candidates for a Platform custom policy.

Changed:

`.github/workflows/ci.yml` — removed `semgrep` job (lines 195–206). No other jobs depended on it.
`.semgrep.yml` — deleted. Rules archived to infra-security-tooling.

Pre-merge:

Semgrep Platform is active on rtk
CI runs clean without the semgrep job (clippy, tests, benchmark all still present)


          Remove self-managed Semgrep CI integrations

c5ce426

semgrep job in ci.yml pulls semgrep/semgrep with no pinned digest — supply
chain risk. No other jobs depend on semgrep. Custom rules archived to
infra-security-tooling/scripts/rtk-semgrep-rules.yml. SEC-3379.

github-actions Bot added the wrong-base label

github-actions Bot commented May 22, 2026

👋 Thanks for the PR! It looks like this targets master, but all PRs should target the develop branch.

Please update the base branch:

Click Edit at the top right of this PR
Change the base branch from master to develop

See CONTRIBUTING.md for details.

5 similar comments

github-actions Bot commented May 22, 2026

👋 Thanks for the PR! It looks like this targets master, but all PRs should target the develop branch.

Please update the base branch:

Click Edit at the top right of this PR
Change the base branch from master to develop

See CONTRIBUTING.md for details.

github-actions Bot commented May 22, 2026

👋 Thanks for the PR! It looks like this targets master, but all PRs should target the develop branch.

Please update the base branch:

Click Edit at the top right of this PR
Change the base branch from master to develop

See CONTRIBUTING.md for details.

github-actions Bot commented May 22, 2026

👋 Thanks for the PR! It looks like this targets master, but all PRs should target the develop branch.

Please update the base branch:

Click Edit at the top right of this PR
Change the base branch from master to develop

See CONTRIBUTING.md for details.

github-actions Bot commented May 22, 2026

👋 Thanks for the PR! It looks like this targets master, but all PRs should target the develop branch.

Please update the base branch:

Click Edit at the top right of this PR
Change the base branch from master to develop

See CONTRIBUTING.md for details.

github-actions Bot commented May 22, 2026

👋 Thanks for the PR! It looks like this targets master, but all PRs should target the develop branch.

Please update the base branch:

Click Edit at the top right of this PR
Change the base branch from master to develop

See CONTRIBUTING.md for details.

kirk-duo merged commit d50ea92 into master

16 checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels