Adding Semgrep to CI

2025-03-12 17:06:37 -04:00 · 2024-12-25 04:49:13 +00:00 · 2024-12-25 04:49:13 +00:00 · 2cf82dd7b8
commit 2cf82dd7b8
parent 1387c512ce
1 changed files with 34 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -93,6 +93,40 @@ test_build:
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

+semgrep:
+  # A Docker image with Semgrep installed.
+  image: semgrep/semgrep
+
+  rules:
+    # Scan changed files in MRs, (diff-aware scanning):
+    - if: $CI_MERGE_REQUEST_IID
+
+    # Scan mainline (default) branches and report all findings.
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+  variables:
+    # Connect to Semgrep AppSec Platform through your SEMGREP_APP_TOKEN.
+    # Generate a token from Semgrep AppSec Platform > Settings
+    # and add it as a variable in your GitLab CI/CD project settings.
+    SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
+
+    # Upload findings to GitLab SAST Dashboard:
+    SEMGREP_GITLAB_JSON: "1"
+
+  # Other optional settings in the `variables` block:
+
+  # Receive inline MR comments (requires Semgrep AppSec Platform account)
+  # Setup instructions:
+  # https://semgrep.dev/docs/semgrep-appsec-platform/gitlab-mr-comments
+  #   GITLAB_TOKEN: $PAT
+
+  # Run the "semgrep ci" command on the command line of the docker image and send findings
+  # to GitLab SAST.
+  script: semgrep ci --gitlab-sast > gl-sast-report.json || true
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+
 # Actual release -- triggered by pushing a new version tag

 release_job: