Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Convert-to-SARIF Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • Introduction
  • Goal
  • Initial Setup - Mobb API Token
  • Sample GitHub Action YAML
  • Example 1 - Full Scan + Mobb autofixer triggered manually
  • Example 2 - Diff-aware scan + Mobb autofixer triggered via a Pull Request

Was this helpful?

  1. CI/CD Integrations
  2. GitHub Actions

GitHub Fixer for Opengrep

PreviousGitHub Fixer for CxOneNextGitLab Pipeline

Last updated 2 months ago

Was this helpful?

Introduction

This guide provides step-by-step instructions on how to set up a GitHub Actions workflow that runs Opengrep and automatically fixes vulnerabilities using Mobb.

Goal

Once this integration is complete, you will achieve the following:

  1. Be automatically scanned for security vulnerabilities using Opengrep.

  2. Upload the scan results in SARIF format onto GitHub.

  3. Trigger Mobb to analyze the findings and provide fixes.

  4. Allow developers to review and apply fixes directly within GitHub.

Initial Setup - Mobb API Token

You will need to generate a Mobb API Token and store it in your GitHub repository as repository secret. To do so, first generate the Mobb API Token by following the guide . Afterward, go to your GitHub repository, navigate to Settings -> Secrets and variables, and store the Mobb API Token there.

Sample GitHub Action YAML

Example 1 - Full Scan + Mobb autofixer triggered manually

# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep manually (workflow_dispatch) and send the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)

name: "Mobb/Opengrep Full Scan"

on:
  workflow_dispatch:
  
jobs:
  scan-and-fix:
    name: Scan with Opengrep and fix with Mobb
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write
      
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run Opengrep SAST scan
        run: |
          wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
          chmod +x opengrep
          ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --supress-errors
        shell: bash -l {0}

      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: opengrep_report.sarif
          category: my-opengrep-sast-tool
          
      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action@v1.1
        with:
          report-file: "opengrep_report.sarif"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

Example 2 - Diff-aware scan + Mobb autofixer triggered via a Pull Request

# Mobb/Opengrep Fixer on pull requests
# This workflow defines the needed steps to run Opengrep on every pull request and pass the results to Mobb Fixer.
#
# Secrets in use (add your missing ones):
# MOBB_API_TOKEN - your mobb user credentials (automatically set if you forked this repo via the Mobb app)

name: "Mobb/Opengrep from PR"

on:
  pull_request:
    branches: ["*"]

jobs:
  scan-and-fix:
    name: Scan with Opengrep and fix with Mobb
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      contents: read
      pull-requests: write
      statuses: write
      security-events: write
      
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run Opengrep SAST scan
        run: |
          wget https://github.com/opengrep/opengrep/releases/download/v1.0.0-alpha.9/opengrep_manylinux_x86 -O opengrep
          chmod +x opengrep
          ./opengrep ci --sarif --sarif-output opengrep_report.sarif --config auto --suppress-errors
        shell: bash -l {0}
        
      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: opengrep_report.sarif
          category: my-opengrep-sast-tool
          
      - name: Run Mobb on the findings and get fixes
        if: always()
        uses: mobb-dev/action/review@v1.1
        with:
          report-file: "opengrep_report.sarif"
          api-key: ${{ secrets.MOBB_API_TOKEN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          scanner: semgrep

here