Added semgrep (#134)

* Added semgrep

* Remove YOLOv7 files

* Properly establish YOLOv7 as a submodule

* Update version & .gitignore

---------

Co-authored-by: HonzaCuhel <[email protected]>

Author: klemen1999

.github/workflows/semgrep.yaml

@@ -0,0 +1,65 @@
+name: Semgrep SAST Scan
+
+on:
+  pull_request:
+
+jobs:
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: semgrep/ci
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: ubuntu-latest
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Perform Semgrep Analysis
+      # @NOTE: This is the actual semgrep command to scan your code.
+      # Modify the --config option to 'r/all' to scan using all rules,
+      # or use multiple flags to specify particular rules, such as
+      # --config r/all --config custom/rules
+        run: semgrep scan -q --sarif --config auto --config "p/secrets" . > semgrep-results.sarif
+        
+      - name: Pretty-Print SARIF Output
+        run: |
+          jq . semgrep-results.sarif > formatted-semgrep-results.sarif || echo "{}"
+          echo "Formatted SARIF Output (First 20 lines):"
+          head -n 20 formatted-semgrep-results.sarif || echo "{}"
+
+      - name: Validate JSON Output
+        run: |
+          if ! jq empty formatted-semgrep-results.sarif > /dev/null 2>&1; then
+            echo "⚠️ Semgrep output is not valid JSON. Skipping annotations."
+            exit 0
+          fi
+
+      - name: Add PR Annotations for Semgrep Findings
+        run: |
+          total_issues=$(jq '.runs[0].results | length' formatted-semgrep-results.sarif)
+          if [[ "$total_issues" -eq 0 ]]; then
+            echo "✅ No Semgrep issues found!"
+            exit 0
+          fi
+
+          jq -c '.runs[0].results[]' formatted-semgrep-results.sarif | while IFS= read -r issue; do
+            file=$(echo "$issue" | jq -r '.locations[0].physicalLocation.artifactLocation.uri')
+            line=$(echo "$issue" | jq -r '.locations[0].physicalLocation.region.startLine')
+            message=$(echo "$issue" | jq -r '.message.text')
+
+            if [[ -n "$file" && -n "$line" && -n "$message" ]]; then
+              echo "::error file=$file,line=$line,title=Semgrep Issue::${message}"
+            fi
+          done

.gitignore

@@ -13,6 +13,8 @@
 profile_default/
 ipython_config.py
 
+tools/.DS_Store
+
 # Remove previous ipynb_checkpoints
 #   git rm -r .ipynb_checkpoints/
 

.gitmodules

@@ -6,8 +6,8 @@
 	url = https://github.com/meituan/YOLOv6
     branch = main
 [submodule "yolov7"]
-    path = tools/yolov7/yolov7
-    url = https://github.com/WongKinYiu/yolov7
+	path = tools/yolov7/yolov7
+	url = https://github.com/WongKinYiu/yolov7.git
     branch = main
 [submodule "tools/yolo/ultralytics"]
 	path = tools/yolo/ultralytics

.semgrepignore

@@ -0,0 +1 @@
+tools/yolov7/yolov7

Dockerfile

@@ -1,16 +1,28 @@
 FROM python:3.11-bullseye
 
-## set working directory
+## Set working directory
 WORKDIR /app
 
-## instal
+## Install dependencies (including required libraries)
 RUN apt-get update && apt-get install ffmpeg libsm6 libxext6 build-essential cmake git -y
+
+## Add necessary files and set permissions
 ADD tools /app/tools
 ADD pyproject.toml /app
-
 ADD requirements.txt /app
-RUN python3 -m pip install -r requirements.txt
-RUN python3 -m pip install .
 
-## define image execution
+## Create non-root user and set ownership of the working directory
+RUN adduser --disabled-password --gecos "" --no-create-home non-root && \
+    chown -R non-root:non-root /app
+
+## Install Python dependencies
+RUN pip install .
+
+## Switch to non-root user
+USER non-root
+
+## Set PATH for the installed executable
+ENV PATH="/home/non-root/.local/bin:/usr/local/bin:$PATH"
+
+## Define image execution
 ENTRYPOINT ["tools"]

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "tools"
-version = "0.2.3"
+version = "0.2.4"
 description = "Converter for YOLO models into .ONNX format."
 readme = "README.md"
 requires-python = ">=3.8"

tools/utils/version_detection.py

@@ -36,9 +36,9 @@ def detect_version(path: str, debug: bool = False) -> str:
 
         # Extract the tar file into the extracted_model directory
         if platform.system() == "Windows":
-            subprocess.check_output(f"tar -xf {path} -C extracted_model", shell=True)
+            subprocess.check_output(["tar", "-xf", path, "-C", "extracted_model"])
         else:
-            subprocess.check_output(f"unzip {path} -d extracted_model", shell=True)
+            subprocess.check_output(["unzip", path, "-d", "extracted_model"])
 
         folder = [
             f for f in listdir("extracted_model") if isdir(join("extracted_model", f))