-
Notifications
You must be signed in to change notification settings - Fork 9.3k
137 lines (125 loc) · 4.5 KB
/
semgrep-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Semgrep Checks
on:
push:
branches:
- main
- 'release/**'
pull_request:
paths:
- internal/**
- .semgrep*yml
- .github/workflows/semgrep-ci.yml
## NOTE: !!!
## When changing these workflows, ensure that the following is updated:
## - Documentation: docs/continuous-integration.md
## - Documentation: docs/makefile-cheat-sheet.md
## - Makefile: ./GNUmakefile
env:
SEMGREP_SEND_METRICS: "off"
SEMGREP_ENABLE_VERSION_CHECK: false
SEMGREP_TIMEOUT: 300
SEMGREP_ARGS: --error --quiet
jobs:
semgrep-validate:
name: Validate Code Quality Rules
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: |
semgrep --validate \
--config .ci/.semgrep.yml \
--config .ci/.semgrep-constants.yml \
--config .ci/.semgrep-test-constants.yml \
--config .ci/semgrep/
semgrep-test:
name: Semgrep Rule Tests
needs: [semgrep-validate]
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: |
semgrep --quiet --test .ci/semgrep/
semgrep:
name: Code Quality Scan
needs: [semgrep-test]
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: |
semgrep $SEMGREP_ARGS \
--config .ci/.semgrep.yml \
--config .ci/.semgrep-constants.yml \
--config .ci/.semgrep-test-constants.yml \
--config .ci/semgrep/ \
--config 'r/dgryski.semgrep-go.badnilguard' \
--config 'r/dgryski.semgrep-go.errnilcheck' \
--config 'r/dgryski.semgrep-go.marshaljson' \
--config 'r/dgryski.semgrep-go.nilerr' \
--config 'r/dgryski.semgrep-go.oddifsequence' \
--config 'r/dgryski.semgrep-go.oserrors'
naming_cae:
name: Naming Scan Caps/AWS/EC2
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: semgrep --validate --config .ci/.semgrep-caps-aws-ec2.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-caps-aws-ec2.yml
naming_tests:
name: Test Configs Scan
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: semgrep --validate --config .ci/.semgrep-configs.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-configs.yml
naming_semgrep0:
name: Service Name Scan A-C
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: semgrep --validate --config .ci/.semgrep-service-name0.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name0.yml
naming_semgrep1:
name: Service Name Scan C-I
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: semgrep --validate --config .ci/.semgrep-service-name1.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name1.yml
naming_semgrep2:
name: Service Name Scan I-Q
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: semgrep --validate --config .ci/.semgrep-service-name2.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name2.yml
naming_semgrep3:
name: Service Name Scan Q-Z
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: semgrep --validate --config .ci/.semgrep-service-name3.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name3.yml