Added semgrep (#49)

* Added semgrep * Skip precommit semgrep in ci
HackUCF · Mar 19, 2024 · e7f5ef7 · e7f5ef7
1 parent 8ca4387
commit e7f5ef7
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 2 deletions.
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -18,4 +18,5 @@ jobs:
         with:
           path: ~/.cache/pre-commit/
           key: pre-commit-4|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+      - run: echo "SKIP=semgrep" >> $GITHUB_ENV
       - run: pre-commit run --show-diff-on-failure --color=always --all-files
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,34 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep OSS scan
+
+on:
+  # Scan changed files in PRs (diff-aware scanning):
+  pull_request: {}
+  # Scan on-demand through GitHub Actions interface:
+  workflow_dispatch: {}
+  # Scan mainline branches and report all findings:
+  push:
+    branches: ["master", "main"]
+  # Schedule the CI job (this method uses cron syntax):
+  schedule:
+    - cron: '14 21 * * *'
+
+jobs:
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: semgrep-oss/scan
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: ubuntu-latest
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: semgrep/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+      # Run the "semgrep scan" command on the command line of the docker image.
+      - run: semgrep scan --config auto
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -23,4 +23,9 @@ repos:
       - id: trailing-whitespace
       - id: check-merge-conflict
       - id: end-of-file-fixer
-      - id: check-toml
+  - repo: https://github.com/semgrep/semgrep
+    rev: 'v1.65.0'
+    hooks:
+      - id: semgrep
+        # See https://semgrep.dev/explore to select a ruleset and copy its URL
+        args: ['--error', '--skip-unknown-extensions']
diff --git a/requirements.txt b/requirements.txt
@@ -61,7 +61,8 @@ requests==2.31.0
 requests-oauthlib==1.4.0
 requestsexceptions==1.4.0
 rsa==4.9
-s3transfer==0.10.1
+s3transfer==0.10.0
+semgrep==1.65.0
 six==1.16.0
 sniffio==1.3.1
 starlette==0.36.3