I use this GitHub Action to security test our WordPress themes
So what does the GitHub Action do?
It;
| name: Semgrep Static Application Security Testing (SAST) | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 1 * * 1' # Run every Monday at 1am | |
| env: | |
| SCAN_PATH: './public/wp-content/themes/' | |
| jobs: | |
| code-checkout: | |
| uses: ./.github/workflows/reusable-code-checkout.yml | |
| secrets: inherit | |
| semgrep_scan: | |
| name: Semgrep Scan | |
| runs-on: ubuntu-latest | |
| needs: [code-checkout] | |
| if: (github.actor != 'dependabot[bot]') | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Semgrep | |
| run: pip install semgrep | |
| - name: Fetch shared source | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: code-artifact | |
| - name: Extract shared source | |
| working-directory: ./ | |
| run: tar -zxf code-artifact.tar.gz | |
| - name: Setup PHP environment | |
| uses: shivammathur/setup-php@v2 | |
| env: | |
| COMPOSER_AUTH_JSON: | | |
| { | |
| "http-basic": { | |
| "connect.advancedcustomfields.com": { | |
| "username": "${{ secrets.ACF_USERNAME }}", | |
| "password": "${{ secrets.ACF_PASSWORD }}" | |
| } | |
| } | |
| } | |
| with: | |
| php-version: '8.2' | |
| tools: composer:v2 | |
| extensions: gd, zip | |
| - name: Cache composer dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.composer/cache | |
| key: dependencies-composer-${{ hashFiles('composer.lock') }} | |
| - name: Remove git-cloned Composer files | |
| working-directory: ./ | |
| run: | | |
| composer remove dss-web/dss-depkatalog --no-progress | |
| - name: Install Composer Dev-dependencies | |
| working-directory: ./ | |
| env: | |
| COMPOSER_AUTH: ${{ secrets.COMPOSER_AUTH }} | |
| run: | | |
| composer install --no-progress | |
| - name: Perform Semgrep Analysis | |
| run: | | |
| semgrep -q --sarif --config auto ${{ env.SCAN_PATH }} > ${{ github.workspace }}/semgrep-results.sarif | |
| - name: Save SARIF results as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: semgrep-scan-results | |
| path: ${{ github.workspace }}/semgrep-results.sarif | |
| - name: Upload SARIF result to the GitHub Security Dashboard | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ github.workspace }}/semgrep-results.sarif | |
| if: always() |
| name: Fetch code | |
| on: | |
| workflow_call: | |
| inputs: | |
| tag: | |
| description: 'Tag to deploy' | |
| required: false | |
| type: string | |
| default: '' | |
| artifact: | |
| description: 'Artifact name' | |
| required: false | |
| type: string | |
| default: '' | |
| jobs: | |
| fetch: | |
| name: Checkout code | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the source | |
| - name: Checkout source | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| # Setup file permissions | |
| - name: File permissions | |
| working-directory: ./ | |
| run: | | |
| chmod +x tools/post-install-cmd.sh | |
| # Set up PHP to our liking for use with WordPress, and to match the live environment. | |
| - name: Setup PHP environment | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.2' | |
| tools: composer:v2 | |
| ini-values: memory_limit=512M | |
| extensions: gd, zip | |
| env: | |
| COMPOSER_AUTH_JSON: | | |
| { | |
| "http-basic": { | |
| "connect.advancedcustomfields.com": { | |
| "username": "${{ secrets.ACF_USERNAME }}", | |
| "password": "${{ secrets.ACF_PASSWORD }}" | |
| } | |
| } | |
| } | |
| # Create cache locations that work across action containers to speed up testing if and when possible. | |
| - name: Cache composer dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.composer/cache | |
| key: dependencies-composer-${{ hashFiles('composer.lock') }} | |
| - name: Cache node dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.npm | |
| key: dependencies-npm-${{ hashFiles('package-lock.json') }} | |
| # Setup SSH keys for accessing private repositories | |
| - name: SSH Key configuration | |
| uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # If the project includes any composer dependencies, install them now. | |
| - name: Install Composer dependencies | |
| working-directory: ./ | |
| env: | |
| COMPOSER_AUTH: ${{ secrets.COMPOSER_AUTH }} | |
| run: 'composer validate && composer install --no-dev --no-progress' | |
| # Install translation files | |
| - name: Install translations via Composer | |
| working-directory: ./ | |
| env: | |
| COMPOSER_AUTH: ${{ secrets.COMPOSER_AUTH }} | |
| run: 'composer run get-translations' | |
| # Cleanup removes files not wanted in the final production build. | |
| - name: Remove unwanted files | |
| working-directory: ./ | |
| run: | | |
| rm -rf .github/ | |
| rm -rf .dependabot/ | |
| rm -rf .env.example | |
| rm -rf .gitignore | |
| rm -rf documentation/ | |
| find . -name 'deprecated' -type d -prune|grep ninja|xargs rm -rf | |
| - name: Package repository for sharing between jobs | |
| working-directory: ./ | |
| run: | | |
| touch code-artifact.tar.gz | |
| tar -czf code-artifact.tar.gz --exclude=code-artifact.tar.gz --exclude=.git --exclude=.github . | |
| - name: Create shared artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: code-artifact | |
| path: code-artifact.tar.gz | |
| retention-days: 1 | |
| overwrite: true |