# GitHub Fixer for Opengrep

## Introduction

This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs Opengrep and automatically fixes vulnerabilities using Mobb.

## Goal

Once this integration is complete, you will achieve the following:

1. Be automatically scanned for security vulnerabilities using Opengrep.
2. Upload the scan results in **SARIF format** onto GitHub.
3. Trigger Mobb to analyze the findings and provide fixes.
4. Allow developers to review and apply fixes directly within GitHub.

## Initial Setup - Mobb API Token

You will need to generate a Mobb API Token and store it in your GitHub repository as repository secret. To do so, first generate the Mobb API Token by following the guide [here](/mobb-user-docs/administration/access-tokens.md). Afterward, go to your GitHub repository, navigate to **Settings ->** **Secrets and variables**, and store the Mobb API Token there.

## Sample GitHub Action YAML

### Example 1 - Full Scan + Mobb autofixer triggered manually

```yaml
# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep manually (workflow_dispatch) and send the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)

name: "Mobb/Opengrep Full Scan"

on:
  workflow_dispatch:
  
jobs:
  scan-and-fix:
    name: Scan with Opengrep and fix with Mobb
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write
      
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run Opengrep SAST scan
        run: |
          wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
          chmod +x opengrep
          ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --supress-errors
        shell: bash -l {0}

      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: opengrep_report.sarif
          category: my-opengrep-sast-tool
          
      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action@v1.1
        with:
          report-file: "opengrep_report.sarif"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
```

### Example 2 - Diff-aware scan + Mobb autofixer triggered via a Pull Request

```yaml
# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep on every pull request and pass the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)

name: "Mobb/Opengrep from PR"

on:
  pull_request:
    branches: ["*"]

jobs:
  scan-and-fix:
    name: Scan with Opengrep and fix with Mobb
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write
      
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run Opengrep SAST scan
        run: |
          wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
          chmod +x opengrep
          ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --suppress-errors
        shell: bash -l {0}
        
      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: opengrep_report.sarif
          category: my-opengrep-sast-tool
          
      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action/review@v1.1
        with:
          report-file: "opengrep_report.sarif"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          scanner: semgrep
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mobb.ai/mobb-user-docs/ci-cd-integrations/github-actions/github-fixer-for-opengrep.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.