test: added semgrep scanning tool (#284)

splunk · Mar 9, 2021 · 8b3ff6b · 8b3ff6b
1 parent c79ba09
commit 8b3ff6b
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -67,8 +67,45 @@ orbs:
           - store_test_results:
               path: test-results
 
-
 jobs:
+  semgrep:
+    environment:
+        SEMGREP_REPO_URL: << pipeline.project.git_url >>
+        SEMGREP_BRANCH: << pipeline.git.branch >>
+    docker:
+      - image: returntocorp/semgrep-agent:v1
+        user: root
+    steps:
+      - checkout
+      - run:
+          name: "Install Dependencies"
+          command: |
+            pip3 install --upgrade semgrep
+      - run:
+          name: "Semgrep Scan"
+          no_output_timeout: 1h
+          command: |
+            export SEMGREP_REPO_NAME=splunk/${CIRCLE_PROJECT_REPONAME}
+            python -m semgrep_agent --publish-deployment ${SEMGREP_DEPLOYMENT_ID} --publish-token ${SEMGREP_PUBLISH_TOKEN}
+
+            # Generate the Semgrep Dashboard URL
+            export REPO_BRANCH=$(echo "<< pipeline.git.branch >>")
+            DASHBOARD_URL=$(python3 -c "from urllib.parse import quote; import os; print('https://semgrep.dev/manage/findings?repo=' + quote(os.environ['SEMGREP_REPO_NAME'], safe='') + '&tab=findings&ref_type=branch&ref=' + quote(os.environ['REPO_BRANCH'], safe=''))")
+            echo "View Result at Semgrep Dashboard: $DASHBOARD_URL"
+
+            # Semgrep Exclude files
+            dos2unix .semgrepignore
+            SEMGREP_EXCLUDE=$(sed "/^#/d" .semgrepignore | sed "/^:/d" | sed -r '/^\s*$/d' | sed ':a;N;$!ba;s/\n/ --exclude /g')
+            echo "Excluding Semgrep Files: --exclude $SEMGREP_EXCLUDE"
+
+            # Generate xml file
+            semgrep --config="p/r2c-ci" --config="p/r2c-security-audit" --config="p/bandit" --error --strict --timeout=0 --junit-xml -o /root/project/test-results/semgrep-scan.xml --exclude $SEMGREP_EXCLUDE     
+      - store_artifacts:
+          path: test-results
+          destination: test-results
+      - store_test_results:
+          path: test-results
+
   release:
     docker:
       - image: circleci/node:12
@@ -137,6 +174,12 @@ workflows:
           filters:
             branches:
               only: /.*/
+      - semgrep:
+          context:
+            - gdi-semgrep      
+          filters:
+            branches:
+              only: /.*/
       - release:
           requires:
             - test-splunk-8-0

diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1,30 @@
+## Default semgrep ignore
+# Ignore git items
+.gitignore
+.git/
+:include .gitignore
+
+# Common large directories
+node_modules/
+build/
+dist/
+vendor/
+env/
+.env/
+venv/
+.venv/
+*.min.js
+
+# Common test directories
+test/
+tests/
+
+# Semgrep rules folder
+.semgrep
+
+## Additional files to be ignored
+.circleci/
+.github/
+.reuse/
+.vscode/
+.idea/