From 9fcf1602d2aff9c5506876ec0db75efd2d9e201f Mon Sep 17 00:00:00 2001 From: Shivasurya Date: Wed, 27 Mar 2024 11:56:27 -0400 Subject: [PATCH] Semgrep SAST doc update (#8784) This PR aims to update the public documentation about SAST scanning at sourcegraph. Added relevant playbook and details for semgrep SAST. --------- Co-authored-by: Vincent Ruijter --- .../security/security-onboarding.md | 6 ++- .../security/security-support-rotation.md | 1 + content/departments/security/tooling/index.md | 2 +- .../departments/security/tooling/semgrep.md | 53 +++++++++++++++++++ .../security/tooling/sonarcloud.md | 42 --------------- 5 files changed, 59 insertions(+), 45 deletions(-) create mode 100644 content/departments/security/tooling/semgrep.md delete mode 100644 content/departments/security/tooling/sonarcloud.md diff --git a/content/departments/security/security-onboarding.md b/content/departments/security/security-onboarding.md index 1546ce4de1c8..dafb78794836 100644 --- a/content/departments/security/security-onboarding.md +++ b/content/departments/security/security-onboarding.md @@ -10,11 +10,13 @@ Below you'll find some steps to get your local development enviroment set up, co Sourcegraph as a whole uses Slack heavily for daily communication - our team also uses a [journal](https://docs.google.com/document/d/1cUI_M5KO7ksl8V3CAUBj0O1IUL7wZQSmjPlZTIe-sg4/edit) to document work progress each week. Here are some recommended channels to join to make sure you're kept in the loop. -- **#security** - This is our public channel where other teams can contact us with questions / support requests. -- **#security-internal** - This is our teams "private" channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello 😄 +- **#discuss-security** - This is our public channel where other teams can contact us with questions / support requests. +- **#team-security** - This is our teams "private" channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello 😄 - **#security-monitoring** - This is where our automated monitoring alerts are posted. - **#security-terraform** - Our infrastructure is managed using Terraform, and notifications regarding changes to security-related infrastructure go here. - **#incidents** - This is where product incidents are posted. A useful channel if you get engaged for an incident and need context. +- **#security-code-monitoring** - This is where our Code scanning monitoring alerts are posted that includes Semgrep SAST, Dependabot, Hackerone. +- **#security-infra-observability** - This is where alerts go related to the availability of our security systems. This includes alerts from Google Monitoring and uptime checks. ## GitHub Setup diff --git a/content/departments/security/security-support-rotation.md b/content/departments/security/security-support-rotation.md index 5204e2305460..f52160be0fbc 100644 --- a/content/departments/security/security-support-rotation.md +++ b/content/departments/security/security-support-rotation.md @@ -32,6 +32,7 @@ Issues should arrive through the following channels, which should be checked at - #security - #security-internal - #security-monitoring +- #security-code-monitoring - Slack messages that tag @security-team or @security-support - GitHub notifications tagging @sourcegraph/security - HackerOne reports (via email) diff --git a/content/departments/security/tooling/index.md b/content/departments/security/tooling/index.md index 5e293fdc8c59..6e1ac28a0a43 100644 --- a/content/departments/security/tooling/index.md +++ b/content/departments/security/tooling/index.md @@ -28,7 +28,7 @@ of vulnerability. - We use [Checkov](./checkov.md) to scan our Terraform infrastructure. - We use [Trivy](./trivy/index.md) to scan containers for issues with dependencies. -- We use [SonarCloud](./sonarcloud.md) to scan our code in `sourcegraph/sourcegraph` for vulnerabilities +- We use [Semgrep OSS](./semgrep.md) to scan our code in `sourcegraph/sourcegraph` and `sourcegraph/cody` for vulnerabilities & bad patterns ## Entitle diff --git a/content/departments/security/tooling/semgrep.md b/content/departments/security/tooling/semgrep.md new file mode 100644 index 000000000000..5803c583aa04 --- /dev/null +++ b/content/departments/security/tooling/semgrep.md @@ -0,0 +1,53 @@ +# Semgrep OSS vulnerability scanning + +We use [Semgrep OSS](https://semgrep.dev) as a static analysis tool to analyse the code in the +`sourcegraph/sourcegraph` and `sourcegraph/cody` repository for security vulnerabilities +and bad patterns. We have published playbook below seperately to resolve issues, false positives. + +- [Developer playbook](https://github.com/sourcegraph/infrastructure/tree/main/security/tooling/sast/playbook) +- [Security engineer playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/security-engineers-playbook.md) +- [Operational playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/operational-playbook.md) + +## For Sourcegraph engineers + +### For resolving Semgrep SAST alerts + +Semgrep [Developer playbook](https://github.com/sourcegraph/infrastructure/tree/main/security/tooling/sast/playbook) is well documented handling any situation that developer faces. +Any Semgrep issues should be visible to you via the output of the `Semgrep OSS / +Code Analysis` GitHub check and as Github Comments. + +If the offending commit has to be landed as part of resolving an incident, + +- Check the [Developer Playbook](https://github.com/sourcegraph/infrastructure/tree/main/security/tooling/sast/playbook) to resolve semgrep alert through source code comments. +- (or) find an admin for the repository (for whom branch protection rules will not apply) to + merge the code in for you. + +### For Semgrep SAST Stuck issues + +This rarely happens (less than 0.5%), but if it does, please follow the steps below: + +- Ensure your branch is up to date with the `main` or default branch. If not please rebase your branch. +- If the issue is still not resolved, please reach out to the Security team in #discuss-security. +- (or) find an admin for the repository (for whom branch protection rules will not apply) to + merge the code in for you. + +If you're not still clear on how to resolve an issue raised by Semgrep, please reach out +to the Security team in #discuss-security. + +## For Security engineers + +### Security Engineer Playbook + +[Security Engineer playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/security-engineers-playbook.md) contains all information including triaging alerts, tweak rules, semgrep errors. +If you come up with unique issues scenario, please document in the same playbook. + +### Operational Playbook + +[Operational playbook](https://github.com/sourcegraph/infrastructure/blob/main/security/tooling/sast/playbook/operational-playbook.md) contains all information including architecture, tweaking rules, upgrading +semgrep versions, stuck issues. If you come up with unique operational issues scenario, please document +in the same playbook. + +## Semgrep SAST Alerts and Metrics + +Semgrep SAST alerts are stored in SIEM and can be queried from Elasticsearch (index: github-code-scanning). +Additionally, SAST metrics dashboard is published under Analytics > Dashboard > Semgrep SAST Scan metrics. diff --git a/content/departments/security/tooling/sonarcloud.md b/content/departments/security/tooling/sonarcloud.md deleted file mode 100644 index 19b65a21773f..000000000000 --- a/content/departments/security/tooling/sonarcloud.md +++ /dev/null @@ -1,42 +0,0 @@ -# SonarCloud vulnerability scanning - -We use [SonarCloud][0] as a static analysis tool to analyse the code in the -`sourcegraph/sourcegraph` repository for security vulnerabilities. - -## For Security engineers - -### Changing the SonarCloud configuration - -You can login to the SonarCloud website using your GitHub credentials, and should -then be able to view the SonarCloud configuration. - -SonarCloud is configured with a [quality gate][1]. This means that only code that -SonarCloud determines has a 'Security Grade' of A is considered passing. - -`sourcegraph/sourcegraph` has a branch merge protection defined: any code -which fails the quality gate will not be allowed into the `main` branch. A GitHub -admin will be required to change this. - -### Changing the GitHub/SonarCloud integration - -You will need to either be or have access to a GitHub Admin to change this. - -The SonarCloud GitHub app runs a check against all branches/pull requests, as well as -against the main branch. It currently only scans the Sourcegraph product via -the main `sourcegraph/sourcegraph` repository. - -There isn't much other configuration to set up or change for the GitHub app. - -## For Sourcegraph engineers - -Any SonarCloud issues should be visible to you via the output of the SonarCloud -Code Analysis GitHub check. If you're not clear on how to resolve an issue raised -by SonarCloud, please reach out to the Security team in [#security][2]. - -If the offending commit has to be landed as part of resolving an incident, find -an admin for the repository (for whom branch protection rules will not apply) to -merge the code in for you. - -[0]: https://sonarcloud.io -[1]: https://sonarcloud.io/organizations/sourcegraph/quality_gates/show/37292 -[2]: https://sourcegraph.slack.com/archives/C1JH2BEHZ