Semgrep SAST doc update (#8784)

This PR aims to update the public documentation about SAST scanning at
sourcegraph. Added relevant playbook and details for semgrep SAST.

---------

Co-authored-by: Vincent Ruijter <[email protected]>

content/departments/security/security-onboarding.md

@@ -10,11 +10,13 @@ Below you'll find some steps to get your local development enviroment set up, co
 
 Sourcegraph as a whole uses Slack heavily for daily communication - our team also uses a [journal](https://docs.google.com/document/d/1cUI_M5KO7ksl8V3CAUBj0O1IUL7wZQSmjPlZTIe-sg4/edit) to document work progress each week. Here are some recommended channels to join to make sure you're kept in the loop.
 
-- **#security** - This is our public channel where other teams can contact us with questions / support requests.
-- **#security-internal** - This is our teams "private" channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello 😄
+- **#discuss-security** - This is our public channel where other teams can contact us with questions / support requests.
+- **#team-security** - This is our teams "private" channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello 😄
 - **#security-monitoring** - This is where our automated monitoring alerts are posted.
 - **#security-terraform** - Our infrastructure is managed using Terraform, and notifications regarding changes to security-related infrastructure go here.
 - **#incidents** - This is where product incidents are posted. A useful channel if you get engaged for an incident and need context.
+- **#security-code-monitoring** - This is where our Code scanning monitoring alerts are posted that includes Semgrep SAST, Dependabot, Hackerone.
+- **#security-infra-observability** - This is where alerts go related to the availability of our security systems. This includes alerts from Google Monitoring and uptime checks.
 
 ## GitHub Setup
 

content/departments/security/security-support-rotation.md

@@ -32,6 +32,7 @@ Issues should arrive through the following channels, which should be checked at
 - #security
 - #security-internal
 - #security-monitoring
+- #security-code-monitoring
 - Slack messages that tag @security-team or @security-support
 - GitHub notifications tagging @sourcegraph/security
 - HackerOne reports (via email)

content/departments/security/tooling/index.md

@@ -28,7 +28,7 @@ of vulnerability.
 
 - We use [Checkov](./checkov.md) to scan our Terraform infrastructure.
 - We use [Trivy](./trivy/index.md) to scan containers for issues with dependencies.
-- We use [SonarCloud](./sonarcloud.md) to scan our code in `sourcegraph/sourcegraph` for vulnerabilities
+- We use [Semgrep OSS](./semgrep.md) to scan our code in `sourcegraph/sourcegraph` and `sourcegraph/cody` for vulnerabilities & bad patterns
 
 ## Entitle
 

content/departments/security/tooling/semgrep.md

@@ -0,0 +1,53 @@
+# Semgrep OSS vulnerability scanning
+
+We use [Semgrep OSS](https://semgrep.dev) as a static analysis tool to analyse the code in the
+`sourcegraph/sourcegraph` and `sourcegraph/cody` repository for security vulnerabilities
+and bad patterns. We have published playbook below seperately to resolve issues, false positives.
+
+- [Developer playbook](https://github.com/sourcegraph/infrastructure/tree/main/security/tooling/sast/playbook)
+- [Security engineer playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/security-engineers-playbook.md)
+- [Operational playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/operational-playbook.md)
+
+## For Sourcegraph engineers
+
+### For resolving Semgrep SAST alerts
+
+Semgrep [Developer playbook](https://github.com/sourcegraph/infrastructure/tree/main/security/tooling/sast/playbook) is well documented handling any situation that developer faces.
+Any Semgrep issues should be visible to you via the output of the `Semgrep OSS /
+Code Analysis` GitHub check and as Github Comments.
+
+If the offending commit has to be landed as part of resolving an incident,
+
+- Check the [Developer Playbook](https://github.com/sourcegraph/infrastructure/tree/main/security/tooling/sast/playbook) to resolve semgrep alert through source code comments.
+- (or) find an admin for the repository (for whom branch protection rules will not apply) to
+  merge the code in for you.
+
+### For Semgrep SAST Stuck issues
+
+This rarely happens (less than 0.5%), but if it does, please follow the steps below:
+
+- Ensure your branch is up to date with the `main` or default branch. If not please rebase your branch.
+- If the issue is still not resolved, please reach out to the Security team in #discuss-security.
+- (or) find an admin for the repository (for whom branch protection rules will not apply) to
+  merge the code in for you.
+
+If you're not still clear on how to resolve an issue raised by Semgrep, please reach out
+to the Security team in #discuss-security.
+
+## For Security engineers
+
+### Security Engineer Playbook
+
+[Security Engineer playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/security-engineers-playbook.md) contains all information including triaging alerts, tweak rules, semgrep errors.
+If you come up with unique issues scenario, please document in the same playbook.
+
+### Operational Playbook
+
+[Operational playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/operational-playbook.md) contains all information including architecture, tweaking rules, upgrading
+semgrep versions, stuck issues. If you come up with unique operational issues scenario, please document
+in the same playbook.
+
+## Semgrep SAST Alerts and Metrics
+
+Semgrep SAST alerts are stored in SIEM and can be queried from Elasticsearch (index: github-code-scanning).
+Additionally, SAST metrics dashboard is published under Analytics > Dashboard > Semgrep SAST Scan metrics.