Git. Add semgrep workflow

.github/workflows/blueprints-unit-tests.yml

@@ -9,6 +9,9 @@ jobs:
   blueprints-cdk-tests:
     name: Run CDK tests for all blueprints
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
     defaults:
       run:
         shell: bash

.github/workflows/pre-commit.yml

@@ -0,0 +1,13 @@
+name: pre-commit
+
+on:
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+    - uses: pre-commit/[email protected]

.github/workflows/semgrep.yaml

@@ -0,0 +1,56 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep
+
+on:
+  # Scan changed files in PRs (diff-aware scanning):
+  pull_request:
+    branches: ["main"]
+  # Scan on-demand through GitHub Actions interface:
+  workflow_dispatch: {}
+  # Scan mainline branches and report all findings:
+  push:
+    branches: ["main"]
+
+jobs:
+  semgrep_scan:
+    # User definable name of this GitHub Actions job.
+    name: semgrep/ci
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: ubuntu-latest
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Perform Semgrep Analysis
+      # @NOTE: This is the actual semgrep command to scan your code.
+      # Modify the --config option to 'r/all' to scan using all rules,
+      # or use multiple flags to specify particular rules, such as
+      # --config r/all --config custom/rules
+        run: semgrep scan -q --sarif --config auto > semgrep-results.sarif
+
+      # upload the results for the CodeQL GitHub app to annotate the code
+      - name: Save SARIF results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: semgrep-scan-results
+          path: semgrep-results.sarif
+
+      # Upload SARIF file generated in previous step
+      - name: Upload SARIF result to the GitHub Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep-results.sarif
+        if: always()

.github/workflows/website-deploy.yaml

@@ -11,6 +11,11 @@ jobs:
   deploy:
     name: Deploy to GitHub Pages
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
     defaults:
       run:
         shell: bash

.github/workflows/website-test-deploy.yml

@@ -9,6 +9,9 @@ jobs:
   test-deploy:
     name: Test deployment
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
     defaults:
       run:
         shell: bash

.gitignore

@@ -7,6 +7,8 @@
 !jest.config.js
 *.d.ts
 node_modules
+!lib/**/package-lock.json
+lib/**/foo.bar
 
 # CDK asset staging directory
 .cdk.staging
@@ -35,4 +37,4 @@ ha-nodes-deploy*.json
 *.OLD
 .env
 .idea
-.vscode
+.vscode

.vscode/settings.json

@@ -3,4 +3,4 @@
         "bcuser",
         "usermod"
     ]
-}
+}

lib/base/README.md

@@ -208,7 +208,7 @@ We currently don't recommend running **archive** nodes in HA setup, because it t
 :::
 
 ### Monitoring
-Every 5 minutes a script on the deployed node publishes to CloudWatch service the metrics for current block for L1/L2 clients as well as blocks behind metric for L1 and minutes behind for L2. When the node is fully synced the blocks behind metric should get to 4 and minutes behind should get down to 0. 
+Every 5 minutes a script on the deployed node publishes to CloudWatch service the metrics for current block for L1/L2 clients as well as blocks behind metric for L1 and minutes behind for L2. When the node is fully synced the blocks behind metric should get to 4 and minutes behind should get down to 0.
 
 - To see the metrics for **single node only**:
    - Navigate to CloudWatch service (make sure you are in the region you have specified for AWS_REGION)
@@ -291,4 +291,4 @@ sudo su bcuser
 ```
 4. Where to find the key Base client directories?
 
-   - The data directory is `/data`
+   - The data directory is `/data`

lib/base/app.ts

@@ -57,4 +57,4 @@ cdk.Aspects.of(app).add(
       reports: true,
       logIgnores: false,
   })
-);
+);

lib/besu-private/README.md

@@ -6,7 +6,7 @@
 
 This blueprint deploys a ready-to-test private blockchain network powered by [Hyperledger Besu](https://github.com/hyperledger/besu/) with [IBFT consensus](https://arxiv.org/abs/2002.03613). It is accessible by applications via [AWS PrivateLink](https://aws.amazon.com/privatelink/) and [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) (NLB).
 
-High-level features include: 
+High-level features include:
 - Automated blockchain node recovery based on deep health check.
 - Automated key management after initial setup.
 - Deployment of software changes without downtime.

lib/ethereum/README.md

@@ -303,7 +303,7 @@ The result should be like this (the actual balance might change):
 ### Clearing up and undeploying everything
 
 1. Destroy RPC Nodes, Sync Nodes and Common components
-              
+
 ```bash
 # Setting the AWS account id and region in case local .env file is lost
  export AWS_ACCOUNT_ID=<your_target_AWS_account_id>

lib/solana/lib/assets/instance/cfn-hup/setup.sh

@@ -27,7 +27,7 @@ fi
   sed -i "s;__AWS_STACK_ID__;\"$STACK_ID\";g" /etc/cfn/cfn-hup.conf
   sed -i "s;__AWS_REGION__;\"$AWS_REGION\";g" /etc/cfn/cfn-hup.conf
 
-  mkdir -p /etc/cfn/hooks.d/system  
+  mkdir -p /etc/cfn/hooks.d/system
   mv /opt/instance/cfn-hup/cfn-auto-reloader.conf /etc/cfn/hooks.d/cfn-auto-reloader.conf
   sed -i "s;__AWS_STACK_NAME__;\"$STACK_NAME\";g" /etc/cfn/hooks.d/cfn-auto-reloader.conf
   sed -i "s;__AWS_REGION__;\"$AWS_REGION\";g" /etc/cfn/hooks.d/cfn-auto-reloader.conf
@@ -37,4 +37,4 @@ fi
 
   systemctl daemon-reload
   systemctl enable --now cfn-hup
-  systemctl start cfn-hup.service
+  systemctl start cfn-hup.service

lib/solana/lib/assets/instance/storage/setup.sh

@@ -95,11 +95,11 @@ fi
     if [ -n "$VOLUME_SIZE" ]; then
       VOLUME_ID=/dev/$(lsblk -lnb | awk -v VOLUME_SIZE_BYTES="$VOLUME_SIZE" '{if ($4== VOLUME_SIZE_BYTES) {print $1}}')
       echo "Data volume size defined, use respective volume id: $VOLUME_ID"
-    else 
+    else
       VOLUME_ID=$(get_next_empty_nvme_disk)
       echo "Data volume size undefined, trying volume id: $VOLUME_ID"
     fi
-    
+
     make_fs $FILE_SYSTEM "$VOLUME_ID"
 
     sleep 10
@@ -127,4 +127,4 @@ fi
     chown -R bcuser:bcuser "$DIR_NAME"
   else
     echo "$DIR_NAME volume is mounted, nothing changed"
-  fi
+  fi

lib/solana/lib/assets/instance/storage/update-cloudwatch-dashboard.sh

@@ -81,4 +81,4 @@ for MOUNT_PATH in ${MOUNT_PATHS[*]}; do
 done
 
 # Upload cloudwatch dashboard using aws cli
-aws cloudwatch put-dashboard --dashboard-name "$DASHBOARD_NAME" --dashboard-body file:///tmp/dashboard.json
+aws cloudwatch put-dashboard --dashboard-name "$DASHBOARD_NAME" --dashboard-body file:///tmp/dashboard.json

lib/solana/lib/assets/node/build-binaries.sh

@@ -43,4 +43,4 @@ if [ ! -d "/home/bcuser/bin" ]; then
   mkdir -p /home/bcuser/bin
 fi
 mv $PWD/bin/* /home/bcuser/bin
-echo export PATH=/home/bcuser/bin:$PATH >> /home/bcuser/.profile
+echo export PATH=/home/bcuser/bin:$PATH >> /home/bcuser/.profile

lib/solana/lib/assets/node/node.service

@@ -12,4 +12,4 @@ LogRateLimitIntervalSec=0
 Environment="PATH=/bin:/usr/bin:/home/bcuser/bin"
 ExecStart=/home/bcuser/bin/node-service.sh
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

lib/solana/lib/assets/node/setup.sh

@@ -212,4 +212,4 @@ echo "Starting node as a service"
 
 mv /opt/node/node.service /etc/systemd/system/node.service
 systemctl daemon-reload
-systemctl enable --now node
+systemctl enable --now node

lib/solana/lib/assets/sync-checker/setup.sh

@@ -22,4 +22,4 @@ mv /opt/sync-checker/sync-checker.timer /etc/systemd/system/sync-checker.timer
 
 echo "Starting sync checker timer"
 systemctl start sync-checker.timer
-systemctl enable sync-checker.timer
+systemctl enable sync-checker.timer

lib/solana/lib/assets/sync-checker/sync-checker.service

@@ -2,4 +2,4 @@
 Description="Sync checker for blockchain node"
 
 [Service]
-ExecStart=/opt/syncchecker.sh
+ExecStart=/opt/syncchecker.sh

lib/solana/lib/assets/sync-checker/sync-checker.timer

@@ -6,4 +6,4 @@ OnCalendar=*:*:0/5
 Unit=sync-checker.service
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

lib/solana/lib/constructs/node-cw-dashboard.ts

@@ -321,4 +321,4 @@ export const SingleNodeCWDashboardJSON = {
             }
         }
     ]
-}
+}