search
Start NowBlogsWatch NowContact Us

GitHub Fixer for Opengrep

hashtag
Introduction

This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs Opengrep and automatically fixes vulnerabilities using Mobb.

hashtag
Goal

Once this integration is complete, you will achieve the following:

  1. Be automatically scanned for security vulnerabilities using Opengrep.

  2. Upload the scan results in SARIF format onto GitHub.

  3. Trigger Mobb to analyze the findings and provide fixes.

  4. Allow developers to review and apply fixes directly within GitHub.

hashtag
Initial Setup - Mobb API Token

You will need to generate a Mobb API Token and store it in your GitHub repository as repository secret. To do so, first generate the Mobb API Token by following the guide here. Afterward, go to your GitHub repository, navigate to Settings -> Secrets and variables, and store the Mobb API Token there.

hashtag
Sample GitHub Action YAML

hashtag
Example 1 - Full Scan + Mobb autofixer triggered manually

# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep manually (workflow_dispatch) and send the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)

name: "Mobb/Opengrep Full Scan"

on:
  workflow_dispatch:
  
jobs:
  scan-and-fix:
    name: Scan with Opengrep and fix with Mobb
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write
      
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run Opengrep SAST scan
        run: |
          wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
          chmod +x opengrep
          ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --supress-errors
        shell: bash -l {0}

      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: opengrep_report.sarif
          category: my-opengrep-sast-tool
          
      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/[email protected]
        with:
          report-file: "opengrep_report.sarif"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

hashtag
Example 2 - Diff-aware scan + Mobb autofixer triggered via a Pull Request

PreviousGitHub Fixer for CxOneNextGitLab Pipeline

Last updated