# GitHub Fixer for Opengrep ## Introduction This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs Opengrep and automatically fixes vulnerabilities using Mobb. ## Goal Once this integration is complete, you will achieve the following: 1. Be automatically scanned for security vulnerabilities using Opengrep. 2. Upload the scan results in **SARIF format** onto GitHub. 3. Trigger Mobb to analyze the findings and provide fixes. 4. Allow developers to review and apply fixes directly within GitHub. ## Initial Setup - Mobb API Token You will need to generate a Mobb API Token and store it in your GitHub repository as repository secret. To do so, first generate the Mobb API Token by following the guide [here](https://docs.mobb.ai/mobb-user-docs/administration/access-tokens). Afterward, go to your GitHub repository, navigate to **Settings ->** **Secrets and variables**, and store the Mobb API Token there. ## Sample GitHub Action YAML ### Example 1 - Full Scan + Mobb autofixer triggered manually ```yaml # Mobb/Opengrep Fixer on pull requests # This workflow defines the needed steps to run Opengrep manually (workflow_dispatch) and send the results to Mobb Fixer. # # Secrets in use (add your missing ones): # MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app) name: "Mobb/Opengrep Full Scan" on: workflow_dispatch: jobs: scan-and-fix: name: Scan with Opengrep and fix with Mobb runs-on: 'ubuntu-latest' timeout-minutes: 360 permissions: contents: read pull-requests: write statuses: write security-events: write steps: - name: Checkout repository uses: actions/checkout@v3 - name: Run Opengrep SAST scan run: | wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep chmod +x opengrep ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --supress-errors shell: bash -l {0} - name: Upload SARIF file if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: opengrep_report.sarif category: my-opengrep-sast-tool - name: Run Mobb on the findings and get fixes if: always() uses: mobb-dev/action@v1.1 with: report-file: "opengrep_report.sarif" api-key: ${{ secrets.MOBB_API_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }} ``` ### Example 2 - Diff-aware scan + Mobb autofixer triggered via a Pull Request ```yaml # Mobb/Opengrep Fixer on pull requests # This workflow defines the needed steps to run Opengrep on every pull request and pass the results to Mobb Fixer. # # Secrets in use (add your missing ones): # MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app) name: "Mobb/Opengrep from PR" on: pull_request: branches: ["*"] jobs: scan-and-fix: name: Scan with Opengrep and fix with Mobb runs-on: 'ubuntu-latest' timeout-minutes: 360 permissions: contents: read pull-requests: write statuses: write security-events: write steps: - name: Checkout repository uses: actions/checkout@v3 - name: Run Opengrep SAST scan run: | wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep chmod +x opengrep ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --suppress-errors shell: bash -l {0} - name: Upload SARIF file if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: opengrep_report.sarif category: my-opengrep-sast-tool - name: Run Mobb on the findings and get fixes if: always() uses: mobb-dev/action/review@v1.1 with: report-file: "opengrep_report.sarif" api-key: ${{ secrets.MOBB_API_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }} scanner: semgrep ```