close
Skip to content

ci: add Semgrep OSS scanning workflow#111

Open
hrushikeshdeshpande wants to merge 1 commit intomainfrom
hrushikesh/add-semgrep-oss-workflow
Open

ci: add Semgrep OSS scanning workflow#111
hrushikeshdeshpande wants to merge 1 commit intomainfrom
hrushikesh/add-semgrep-oss-workflow

Conversation

@hrushikeshdeshpande
Copy link
Copy Markdown

@hrushikeshdeshpande hrushikeshdeshpande commented Apr 23, 2026

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.

What it does

  • Runs on every PR, on push to the main/master branch, and monthly on a staggered schedule.
  • Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
  • Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
  • Runs on ubuntu-slim with contents: read token scope.

For reviewers

  • Findings are informational; the job does not block on findings.
  • First PR after merge installs Semgrep; subsequent PRs skip that step.

See the internal App&ProdSec email for migration context, or ping us internally.

ThimoDEV pushed a commit to ThimoDEV/fork-mcp-codemode that referenced this pull request Apr 25, 2026
@mattzcarey
feat: redesign consent UI with resource/action matrix and user templa…
8f7b298 
…tes (cloudflare#109)

* feat: redesign consent UI with resource/action matrix and user templates

Replaces the checkbox-list consent dialog with a resource-row x action-pill
matrix inspired by the Cloudflare dashboard's API token UI. Ships two
built-in templates - read-only and YOLO (full access, capped at 76) -
and lets users save custom scope selections as named templates in
localStorage.

- scopes: drop workers-full and dns-full templates; compute YOLO from
  ALL_SCOPES minus sensitive/deprecated (teams:pii, teams:secure_location,
  constellation:write, cloudchamber:write) to stay under MAX_SCOPES
- consent UI: template pill chooser, search + matrix of resource rows with
  per-action pills, live counter, inline save-as-template flow, sticky
  footer action bar, editorial typography (Fraunces / IBM Plex Sans /
  JetBrains Mono)
- oauth-handler: pass REQUIRED_SCOPES through so Core pills render locked

* style: restore CF dashboard + old MCP consent aesthetic

Drops the Fraunces/editorial treatment from the first pass and restores
the existing Cloudflare design language: Inter, cream palette, white card,
orange accent, SF Mono for scopes, round pill buttons, CF logo header and
Privacy/Terms/Docs footer.

The template chooser, resource/action pill matrix, save-as-template
interaction, localStorage persistence, and live counter are unchanged.
Resources are now grouped into dashboard-style category accordions
(Core, Developer Platform, AI & Machine Learning, DNS & Zones, ...).

* style: tighten consent UI toward dashboard styling

- Remove 'Recommended' tagline from read-only template
- Rename YOLO template label to 'Full access'
- Remove the 'Using <template>...' status line from the card
- Re-add Core category but style locked pills as a soft disabled grey
  instead of the heavy near-black they had before
- Shift palette from cream/brown to the dashboard's white/grey: white card
  on off-white background, neutral greys, 8px button radius, softer
  orange-tinted active states for pills/templates

* style: collapse all permission categories by default

Previously the first category (Core) was auto-expanded, which filled the
top of the dialog with locked required pills the user couldn't act on.
Start with every category collapsed; the selected count on each summary
row indicates what the active template has turned on.

* style: fix acronym labels and expand read-only to all :read scopes

- Add RESOURCE_LABELS overrides so 'url_scanner' renders as 'URL Scanner',
  'cfone' as 'Cloudflare One', 'dex' as 'DEX', 'aig' as 'AI Gateway',
  'sso-connector' as 'SSO Connector', etc. Fallback humanize still handles
  unknown keys.
- Derive the read-only template programmatically from ALL_SCOPES, picking
  everything that ends with ':read' on top of REQUIRED_SCOPES. Grows the
  template from 15 to ~35 scopes so read workflows don't need to drop to
  Custom just to see audit logs / load balancers / ai gateway / etc.

* chore: remove unused scopes and fix observability-telemetry label

Drop scopes we're not going to support from the MCP server:
- cloudchamber:write (legacy)
- constellation:write (deprecated)
- rag:read, rag:write
- notebook-examples:read
- firstpartytags:write

YOLO_EXCLUDED shrinks to just teams:pii + teams:secure_location. The
read-only template is computed from ALL_SCOPES so it auto-adapts.

Also rename the workers_observability_telemetry label from 'Workers
Telemetry' to 'Workers Observability Telemetry' to match the scope name.

* style: set heading/product type hierarchy and align row indent

- Category summary: font-weight 600, near-black so it reads as a heading
- Resource row name: font-weight 400 in muted grey
- Indent resource rows so their text aligns under the category label
  (past the chevron + gap), matching the dashboard's visual hierarchy

* style: restore CF design language on error page

renderErrorPage was still using the editorial Fraunces / IBM Plex /
JetBrains Mono treatment from the first design pass. Rewrite it to
match the consent dialog: Inter, CF cream/grey palette, the same
masthead (logo + divider + 'MCP Server' label), card on off-white
body, 8px radii, orange CTA, and the Privacy/Terms/Docs footer.

* style: match dashboard typography values exactly

Extracted computed styles from the live CF dashboard token UI:
- category heading: 14px / weight 500 / #000 / letter-spacing -0.14px
  (was 0.9rem / 600 / cloudflare#111)
- product name: 14px / weight 400 / #636363 (oklch(0.439 0 0)) /
  letter-spacing -0.16px (was 0.85rem / 400 / #707070)
- row dividers: 1px dashed rgba(37,37,37,0.1) top border, no bottom
  (was solid bottom)
- row min-height 48px (was variable padding height)
- body tightens letter-spacing to -0.01em
- font-family prefers 'Inter Variable' (CF's stack) then falls back to
  Google Fonts 'Inter' which is the same variable font under the hood

* style: full access = every scope, flatten permissions panel

- Full access template now equals ALL_SCOPES (74). Drops YOLO_EXCLUDED
  entirely per product call; teams:pii + teams:secure_location are now
  included.
- Remove the boxed outline + rounded border around the permissions
  accordion. Inter-category separators are now dashed 1px rows (matching
  the dashboard's hairline dashed dividers), not solid borders in a
  panel. Category + row borders all share the same
  rgba(37,37,37,0.1) dashed treatment.

* style: adopt Kumo design tokens and real checkbox pattern

- CSS variables now mirror @cloudflare/kumo/theme-kumo.css: --cf-base
  (#fff), --cf-canvas (#fbfbfb), --cf-elevated (#fafafa), --cf-tint
  (#f7f7f7), --cf-recessed (#f5f5f5), --cf-hairline (#eeeeee),
  --cf-interact (#d4d4d4), --cf-contrast (#262626), --cf-line
  (rgba(37,37,37,.1)), text-default/strong/subtle/inactive at the Kumo
  neutral-900/600/500/400 values. Old --cf-orange/--cf-text/--cf-bg/etc.
  are renamed throughout the stylesheet.
- Action pills are now the Kumo checkbox pattern: 16px box with a
  hairline ring, near-black (--cf-contrast) bg with white tick when
  active, plain 14px/400 label, transparent pill container with tint
  hover. Replaces the rounded-rectangle button look.
- Required pill: opacity 0.5 (Kumo disabled convention) instead of
  greyed-out fill.
- Row 'Required' badge is now plain orange text (no border/box).

* style: kumoify checkbox container and add info tooltips to section labels

- Restore firstpartytags:write scope with the 'First-party Tags' /
  Google tag gateway description (Zaraz). Labeled 'First-party Tags'
  and grouped under Developer Platform.
- Wrap action checkboxes in the Kumo permission-group container:
  px-1.5 gap-3 ring-1 ring-kumo-line rounded-md h-7 bg-kumo-control
  so each row ends in a single white pill of action choices with a
  hairline outline, matching the dashboard's token creator.
- Reduce action label size to 13px to match the kumo
  [&_label]:text-sm override inside that container.
- Add info-tip component (CSS-only tooltip with dark bg, 6px radius,
  fade-in) to the 'Access template' and 'Permissions' section labels,
  matching the 'Permission policies ⓘ' pattern on the dashboard.

* style: body bg now pure white to match dashboard

Dashboard body is rgb(255,255,255). Ours was --cf-canvas (#fbfbfb),
a slightly tinted off-white. Flip body + error page bg to --cf-base
and let the card's hairline border + faint ring do the work. Card
loses its outer shadow (not present on the dash). Cat-summary hover
and save-as bg use --cf-tint (#f7f7f7) for a visible hover tint on
the now-white page.

* chore: drop firstpartytags:write scope again

Can't find a corresponding policy in the dashboard UI, so removing it
from the consent screen. Dropped from ALL_SCOPES, the test's
REGISTERED_SCOPES, RESOURCE_LABELS, and CATEGORY_MAP.

* style: restore canvas body bg for contrast; keep elevated permissions panel

- Body back to --cf-canvas (#fbfbfb) so the white card stands out.
- Categories panel keeps the new --cf-elevated (#fafafa) bg with a
  hairline ring so the permissions table has the darker-panel look
  from the dashboard. Accordion summaries and bodies are transparent
  so the panel color shows through.

* fix: cat-summary bg transparent so it shows the canvas panel

A leftover 'background: var(--cf-base)' on .cat-summary was making
each category header render white over the canvas-colored categories
panel, so the header row looked lighter than the rows below it. Set
it to transparent so the dashed dividers and canvas bg are continuous
across the whole accordion.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hrushikeshdeshpande