diff --git a/README.md b/README.md
index 8fbf9078ede2b8cacc58e8c129e89cf3b9704e43..34f857ed80b7c7b99c38f8e6bd1a6b51315ea1ae 100644
--- a/README.md
+++ b/README.md
@@ -363,6 +363,7 @@ It is bound to the `test` stage, and uses the following variables:
| `semgrep-image` / `NODE_SEMGREP_IMAGE` | The Docker image used to run [Semgrep](https://semgrep.dev/docs/) | `registry.hub.docker.com/semgrep/semgrep:latest` |
| `semgrep-args` / `NODE_SEMGREP_ARGS` | Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | `--metrics off --disable-version-check --no-suppress-errors` |
| `semgrep-rules` / `NODE_SEMGREP_RULES` | Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). | `p/javascript p/eslint p/gitlab-eslint` |
+| `semgrep-registry-base-url` / `NODE_SEMGREP_REGISTRY_BASE_URL` | The Semgrep Registry base URL that is used to download the rules. No trailing slash. | `https://semgrep.dev/c` |
| `semgrep-download-rules-enabled` / `NODE_SEMGREP_DOWNLOAD_RULES_ENABLED` | Download Semgrep remote rules | `true` |
> :information_source: Semgrep may [collect some metrics](https://semgrep.dev/docs/metrics), especially when using rules from the Semgrep Registry.
diff --git a/kicker.json b/kicker.json
index 47b26a0538d11454ee0bac6fa931bf083a21412e..cd8190294b6563c86805b6ed7c2dabc9c2772835 100644
--- a/kicker.json
+++ b/kicker.json
@@ -128,6 +128,11 @@
"description": "Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).\n\nCan be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).",
"default": "p/javascript p/eslint p/gitlab-eslint"
},
+ {
+ "name": "NODE_SEMGREP_REGISTRY_BASE_URL",
+ "description": "The Semgrep Registry base URL that is used to download the rules. No trailing slash.",
+ "default": "https://semgrep.dev/c"
+ },
{
"name": "NODE_SEMGREP_DOWNLOAD_RULES_ENABLED",
"description": "Download Semgrep remote rules",
diff --git a/templates/gitlab-ci-node.yml b/templates/gitlab-ci-node.yml
index 09007ca8d54514c79452f8d51155b93485f118d8..2324bba37c8c5205a0efac08c9347a5b5ba655ed 100644
--- a/templates/gitlab-ci-node.yml
+++ b/templates/gitlab-ci-node.yml
@@ -84,6 +84,10 @@ spec:
Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).
default: p/javascript p/eslint p/gitlab-eslint
+ semgrep-registry-base-url:
+ description: |-
+ The Semgrep Registry base URL that is used to download the rules. No trailing slash.
+ default: https://semgrep.dev/c
semgrep-download-rules-enabled:
description: Download Semgrep remote rules
type: boolean
@@ -186,6 +190,7 @@ variables:
NODE_SEMGREP_DISABLED: $[[ inputs.semgrep-disabled ]]
NODE_SEMGREP_ARGS: $[[ inputs.semgrep-args ]]
NODE_SEMGREP_RULES: $[[ inputs.semgrep-rules ]]
+ NODE_SEMGREP_REGISTRY_BASE_URL: $[[ inputs.semgrep-registry-base-url ]]
NODE_SEMGREP_DOWNLOAD_RULES_ENABLED: $[[ inputs.semgrep-download-rules-enabled ]]
# Outdated
NODE_OUTDATED_DISABLED: $[[ inputs.outdated-disabled ]]
@@ -580,9 +585,10 @@ stages:
log_info "... rule file $rule found: skip"
SEMGREP_RULES="${SEMGREP_RULES} $rule"
else
- log_info "... rule file $rule not found: download (https://semgrep.dev/c/$rule)"
+ rule_url="${NODE_SEMGREP_REGISTRY_BASE_URL}/$rule"
+ log_info "... rule file $rule not found: downloading from $DOWNLOAD_URL"
dest_file="semgrep-${rule/p\//}.yml"
- wget "https://semgrep.dev/c/$rule" -O "$dest_file"
+ wget "$rule_url" -O "$dest_file"
SEMGREP_RULES="${SEMGREP_RULES} $dest_file"
fi
done