Test semgrep

selectel · Oct 18, 2024 · 3d9984b · 3d9984b
1 parent 4b87dd2
commit 3d9984b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml
@@ -21,7 +21,7 @@ jobs:
       security-events: write
     steps:
       - uses: actions/checkout@v4
-      - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
+      - run: semgrep scan --sarif --output=semgrep.sarif --severity=WARNING
         env:
           SEMGREP_RULES: >-
             p/command-injection
@@ -41,8 +41,9 @@ jobs:
             p/security-audit
             p/sql-injection
             p/xss
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@v3.26.3
         with:
+          args: --no-metadata-verification
           sarif_file: semgrep.sarif
         if: always()
 

diff --git a/GNUmakefile b/GNUmakefile
@@ -45,4 +45,25 @@ ifeq (,$(wildcard $(GOPATH)/src/$(WEBSITE_REPO)))
 endif
 	@$(MAKE) -C $(GOPATH)/src/$(WEBSITE_REPO) website-provider-test PROVIDER_PATH=$(shell pwd) PROVIDER_NAME=$(PKG_NAME)
 
+semgrep:
+	docker run --rm -v ${PWD}:/app:ro -w /app semgrep/semgrep semgrep scan --error --metrics=off \
+		--config=p/command-injection \
+		--config=p/comment \
+		--config=p/cwe-top-25 \
+		--config=p/default \
+		--config=p/gitlab \
+		--config=p/gitleaks \
+		--config=p/golang \
+		--config=p/gosec \
+		--config=p/insecure-transport \
+		--config=p/owasp-top-ten \
+		--config=p/r2c-best-practices \
+		--config=p/r2c-bug-scan \
+		--config=p/r2c-security-audit \
+		--config=p/secrets \
+		--config=p/security-audit \
+		--config=p/sql-injection \
+		--config=p/xss \
+		.
+
 .PHONY: golangci-lint build test testacc fmt test-compile website website-test