From bbb657e95a2cb822afb20cd9630b50022344d10f Mon Sep 17 00:00:00 2001 From: "belokobylskii.i" Date: Fri, 18 Oct 2024 16:07:52 +0300 Subject: [PATCH] feat: add semgrep to makefile & fix it's rules --- .github/workflows/secure.yml | 2 +- .semgrepignore | 1 + GNUmakefile | 25 ++++++++++++++++++++++++- selectel/dbaas.go | 3 +-- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml index 8ee6d379..a2b3d54e 100644 --- a/.github/workflows/secure.yml +++ b/.github/workflows/secure.yml @@ -21,7 +21,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 - - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING + - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING --severity=ERROR env: SEMGREP_RULES: >- p/command-injection diff --git a/.semgrepignore b/.semgrepignore index 0fbb4489..01548a20 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1 +1,2 @@ website/ +*_test.go diff --git a/GNUmakefile b/GNUmakefile index e55ef800..2c5de116 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -45,4 +45,27 @@ ifeq (,$(wildcard $(GOPATH)/src/$(WEBSITE_REPO))) endif @$(MAKE) -C $(GOPATH)/src/$(WEBSITE_REPO) website-provider-test PROVIDER_PATH=$(shell pwd) PROVIDER_NAME=$(PKG_NAME) -.PHONY: golangci-lint build test testacc fmt test-compile website website-test + +# CLI reference: +# https://semgrep.dev/docs/cli-reference +semgrep: + docker run --rm -v ${PWD}:/app:ro -w /app semgrep/semgrep semgrep scan --error --metrics=off \ + --config=p/command-injection \ + --config=p/comment \ + --config=p/cwe-top-25 \ + --config=p/default \ + --config=p/gitleaks \ + --config=p/golang \ + --config=p/gosec \ + --config=p/insecure-transport \ + --config=p/owasp-top-ten \ + --config=p/r2c-best-practices \ + --config=p/r2c-bug-scan \ + --config=p/r2c-security-audit \ + --config=p/secrets \ + --config=p/security-audit \ + --config=p/sql-injection \ + --config=p/xss \ + . + +.PHONY: golangci-lint build test testacc fmt test-compile semgrep website website-test diff --git a/selectel/dbaas.go b/selectel/dbaas.go index ca8fbc06..1672e3dc 100644 --- a/selectel/dbaas.go +++ b/selectel/dbaas.go @@ -1,7 +1,6 @@ package selectel -//nolint:gci -import ( // nosemgrep: gitlab.gosec.G501-1 +import ( "context" "crypto/md5" "errors"