This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs Opengrep and automatically fixes vulnerabilities using Mobb.
Goal
Once this integration is complete, you will achieve the following:
Be automatically scanned for security vulnerabilities using Opengrep.
Upload the scan results in SARIF format onto GitHub.
Trigger Mobb to analyze the findings and provide fixes.
Allow developers to review and apply fixes directly within GitHub.
Initial Setup - Mobb API Token
You will need to generate a Mobb API Token and store it in your GitHub repository as repository secret. To do so, first generate the Mobb API Token by following the guide here. Afterward, go to your GitHub repository, navigate to Settings ->Secrets and variables, and store the Mobb API Token there.
Sample GitHub Action YAML
Example 1 - Full Scan + Mobb autofixer triggered manually
# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep manually (workflow_dispatch) and send the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)
name: "Mobb/Opengrep Full Scan"
on:
workflow_dispatch:
jobs:
scan-and-fix:
name: Scan with Opengrep and fix with Mobb
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
pull-requests: write
statuses: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Run Opengrep SAST scan
run: |
wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
chmod +x opengrep
./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto
shell: bash -l {0}
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: opengrep_report.sarif
category: my-opengrep-sast-tool
- name: Run Mobb on the findings and get fixes
if: always()
uses: mobb-dev/action@v1
with:
report-file: "opengrep_report.sarif"
api-key: ${{ secrets.MOBB_API_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
Example 2 - Diff-aware scan + Mobb autofixer triggered via a Pull Request
# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep on every pull request and pass the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)
name: "Mobb/Opengrep"
on:
pull_request:
branches: ["*"]
workflow_dispatch:
jobs:
scan-and-fix:
name: Scan with Opengrep and fix with Mobb
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
pull-requests: write
statuses: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Run Opengrep SAST scan
run: |
wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
chmod +x opengrep
./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto
shell: bash -l {0}
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: opengrep_report.sarif
category: my-opengrep-sast-tool
- name: Run Mobb on the findings and get fixes
if: always()
uses: mobb-dev/action/review@v1.1
with:
report-file: "opengrep_report.sarif"
api-key: ${{ secrets.MOBB_API_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
scanner: semgrep
