Skip to content
Snippets Groups Projects
Commit e70e29b3 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'semgrep-url' into 'master'

feat: configurable semgrep rule URL

See merge request to-be-continuous/node!70
parents c0878c9e d9c20417
No related branches found
No related tags found
No related merge requests found
...@@ -363,6 +363,7 @@ It is bound to the `test` stage, and uses the following variables: ...@@ -363,6 +363,7 @@ It is bound to the `test` stage, and uses the following variables:
| `semgrep-image` / `NODE_SEMGREP_IMAGE` | The Docker image used to run [Semgrep](https://semgrep.dev/docs/) | `registry.hub.docker.com/semgrep/semgrep:latest` | | `semgrep-image` / `NODE_SEMGREP_IMAGE` | The Docker image used to run [Semgrep](https://semgrep.dev/docs/) | `registry.hub.docker.com/semgrep/semgrep:latest` |
| `semgrep-args` / `NODE_SEMGREP_ARGS` | Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | `--metrics off --disable-version-check --no-suppress-errors` | | `semgrep-args` / `NODE_SEMGREP_ARGS` | Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | `--metrics off --disable-version-check --no-suppress-errors` |
| `semgrep-rules` / `NODE_SEMGREP_RULES` | Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). | `p/javascript p/eslint p/gitlab-eslint` | | `semgrep-rules` / `NODE_SEMGREP_RULES` | Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). | `p/javascript p/eslint p/gitlab-eslint` |
| `semgrep-registry-base-url` / `NODE_SEMGREP_REGISTRY_BASE_URL` | The Semgrep Registry base URL that is used to download the rules. No trailing slash. | `https://semgrep.dev/c` |
| `semgrep-download-rules-enabled` / `NODE_SEMGREP_DOWNLOAD_RULES_ENABLED` | Download Semgrep remote rules | `true` | | `semgrep-download-rules-enabled` / `NODE_SEMGREP_DOWNLOAD_RULES_ENABLED` | Download Semgrep remote rules | `true` |
> :information_source: Semgrep may [collect some metrics](https://semgrep.dev/docs/metrics), especially when using rules from the Semgrep Registry. > :information_source: Semgrep may [collect some metrics](https://semgrep.dev/docs/metrics), especially when using rules from the Semgrep Registry.
......
...@@ -128,6 +128,11 @@ ...@@ -128,6 +128,11 @@
"description": "Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).\n\nCan be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).", "description": "Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).\n\nCan be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).",
"default": "p/javascript p/eslint p/gitlab-eslint" "default": "p/javascript p/eslint p/gitlab-eslint"
}, },
{
"name": "NODE_SEMGREP_REGISTRY_BASE_URL",
"description": "The Semgrep Registry base URL that is used to download the rules. No trailing slash.",
"default": "https://semgrep.dev/c"
},
{ {
"name": "NODE_SEMGREP_DOWNLOAD_RULES_ENABLED", "name": "NODE_SEMGREP_DOWNLOAD_RULES_ENABLED",
"description": "Download Semgrep remote rules", "description": "Download Semgrep remote rules",
......
...@@ -84,6 +84,10 @@ spec: ...@@ -84,6 +84,10 @@ spec:
Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).
default: p/javascript p/eslint p/gitlab-eslint default: p/javascript p/eslint p/gitlab-eslint
semgrep-registry-base-url:
description: |-
The Semgrep Registry base URL that is used to download the rules. No trailing slash.
default: https://semgrep.dev/c
semgrep-download-rules-enabled: semgrep-download-rules-enabled:
description: Download Semgrep remote rules description: Download Semgrep remote rules
type: boolean type: boolean
...@@ -186,6 +190,7 @@ variables: ...@@ -186,6 +190,7 @@ variables:
NODE_SEMGREP_DISABLED: $[[ inputs.semgrep-disabled ]] NODE_SEMGREP_DISABLED: $[[ inputs.semgrep-disabled ]]
NODE_SEMGREP_ARGS: $[[ inputs.semgrep-args ]] NODE_SEMGREP_ARGS: $[[ inputs.semgrep-args ]]
NODE_SEMGREP_RULES: $[[ inputs.semgrep-rules ]] NODE_SEMGREP_RULES: $[[ inputs.semgrep-rules ]]
NODE_SEMGREP_REGISTRY_BASE_URL: $[[ inputs.semgrep-registry-base-url ]]
NODE_SEMGREP_DOWNLOAD_RULES_ENABLED: $[[ inputs.semgrep-download-rules-enabled ]] NODE_SEMGREP_DOWNLOAD_RULES_ENABLED: $[[ inputs.semgrep-download-rules-enabled ]]
# Outdated # Outdated
NODE_OUTDATED_DISABLED: $[[ inputs.outdated-disabled ]] NODE_OUTDATED_DISABLED: $[[ inputs.outdated-disabled ]]
...@@ -580,9 +585,10 @@ stages: ...@@ -580,9 +585,10 @@ stages:
log_info "... rule file $rule found: skip" log_info "... rule file $rule found: skip"
SEMGREP_RULES="${SEMGREP_RULES} $rule" SEMGREP_RULES="${SEMGREP_RULES} $rule"
else else
log_info "... rule file $rule not found: download (https://semgrep.dev/c/$rule)" rule_url="${NODE_SEMGREP_REGISTRY_BASE_URL}/$rule"
log_info "... rule file $rule not found: downloading from $DOWNLOAD_URL"
dest_file="semgrep-${rule/p\//}.yml" dest_file="semgrep-${rule/p\//}.yml"
wget "https://semgrep.dev/c/$rule" -O "$dest_file" wget "$rule_url" -O "$dest_file"
SEMGREP_RULES="${SEMGREP_RULES} $dest_file" SEMGREP_RULES="${SEMGREP_RULES} $dest_file"
fi fi
done done
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment