From 642284bd906a36630cb5960ea30e074b7cf3ee7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=98=D0=BB=D1=8C=D1=8F=20=D0=9B=D1=8F=D1=89=D1=83=D0=BA?= <40496434+prog-time@users.noreply.github.com> Date: Wed, 22 Apr 2026 20:45:00 +0300 Subject: [PATCH 1/3] issues-9|add semgrep CI snippet --- CI/security/semgrep.yml | 36 +++++++++++++++++++++++++++++++ scripts/CI/security/semgrep.yml | 20 +++++++++++++++++ scripts/shell/security/semgrep.sh | 17 +++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 CI/security/semgrep.yml create mode 100644 scripts/CI/security/semgrep.yml create mode 100644 scripts/shell/security/semgrep.sh diff --git a/CI/security/semgrep.yml b/CI/security/semgrep.yml new file mode 100644 index 0000000..f787017 --- /dev/null +++ b/CI/security/semgrep.yml @@ -0,0 +1,36 @@ +semgrep: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Cache Semgrep + uses: actions/cache@v4 + with: + path: ~/.cache/semgrep + key: semgrep-${{ runner.os }}-${{ hashFiles('**/.semgrepignore') }} + + - name: Install Semgrep + run: pip install semgrep==1.72.0 + + - name: Run Semgrep + run: | + set -euo pipefail + + if ! command -v semgrep &> /dev/null; then + echo "::error::semgrep not found. Install it before running this script." + exit 1 + fi + + echo "ℹ️ Running Semgrep static analysis..." + + if semgrep --config p/default --error .; then + echo "✅ Semgrep passed" + exit 0 + else + echo "❌ Semgrep found issues" + exit 1 + fi diff --git a/scripts/CI/security/semgrep.yml b/scripts/CI/security/semgrep.yml new file mode 100644 index 0000000..c702ec5 --- /dev/null +++ b/scripts/CI/security/semgrep.yml @@ -0,0 +1,20 @@ +semgrep: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Cache Semgrep + uses: actions/cache@v4 + with: + path: ~/.cache/semgrep + key: semgrep-${{ runner.os }}-${{ hashFiles('**/.semgrepignore') }} + + - name: Install Semgrep + run: pip install semgrep==1.72.0 + + - name: Run Semgrep + run: bash scripts/shell/security/semgrep.sh diff --git a/scripts/shell/security/semgrep.sh b/scripts/shell/security/semgrep.sh new file mode 100644 index 0000000..7ba3644 --- /dev/null +++ b/scripts/shell/security/semgrep.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +set -euo pipefail + +if ! command -v semgrep &> /dev/null; then + echo "::error::semgrep not found. Install it before running this script." + exit 1 +fi + +echo "ℹ️ Running Semgrep static analysis..." + +if semgrep --config p/default --error .; then + echo "✅ Semgrep passed" + exit 0 +else + echo "❌ Semgrep found issues" + exit 1 +fi From db158b89d1abcfcaf02c834559f3d2694342ccbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=98=D0=BB=D1=8C=D1=8F=20=D0=9B=D1=8F=D1=89=D1=83=D0=BA?= <40496434+prog-time@users.noreply.github.com> Date: Wed, 22 Apr 2026 20:45:00 +0300 Subject: [PATCH 2/3] issues-9|add BATS tests for semgrep --- tests/security/semgrep.bats | 52 +++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 tests/security/semgrep.bats diff --git a/tests/security/semgrep.bats b/tests/security/semgrep.bats new file mode 100644 index 0000000..ceeac89 --- /dev/null +++ b/tests/security/semgrep.bats @@ -0,0 +1,52 @@ +#!/usr/bin/env bats + +load "../helpers/common" + +SCRIPT="$BATS_TEST_DIRNAME/../../scripts/shell/security/semgrep.sh" + +setup() { + setup_test_dir + mkdir -p "$TEST_DIR/bin" + export PATH="$TEST_DIR/bin:$PATH" +} + +teardown() { + teardown_test_dir +} + +make_semgrep_stub() { + local exit_code="$1" + cat > "$TEST_DIR/bin/semgrep" < Date: Wed, 22 Apr 2026 20:45:00 +0300 Subject: [PATCH 3/3] issues-9|document semgrep in README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 8a137f9..e384bed 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ that projects compose into their own workflows. |------|----------|------| | gitleaks | security | [CI/security/gitleaks.yml](https://github.com/prog-time/workflows/blob/main/CI/security/gitleaks.yml) | | trivy | security | [CI/security/trivy.yml](https://github.com/prog-time/workflows/blob/main/CI/security/trivy.yml) | +| semgrep | security | [CI/security/semgrep.yml](https://github.com/prog-time/workflows/blob/main/CI/security/semgrep.yml) | | ESLint | linters | [CI/linters/eslint.yml](https://github.com/prog-time/workflows/blob/main/CI/linters/eslint.yml) | | golangci-lint | linters | [CI/linters/golangci-lint.yml](https://github.com/prog-time/workflows/blob/main/CI/linters/golangci-lint.yml) | | Hadolint | linters | [CI/linters/hadolint.yml](https://github.com/prog-time/workflows/blob/main/CI/linters/hadolint.yml) | @@ -82,6 +83,7 @@ Workflows/ │ │ │ └── yamllint.yml │ │ ├── security/ │ │ │ ├── gitleaks.yml +│ │ │ ├── semgrep.yml │ │ │ └── trivy.yml │ │ ├── static_analysis/ │ │ │ ├── mypy.yml @@ -110,6 +112,7 @@ Workflows/ │ │ └── yamllint.sh │ └── security/ │ ├── gitleaks.sh +│ ├── semgrep.sh │ └── trivy.sh │ ├── CI/ # assembled output (ready to use) @@ -129,6 +132,7 @@ Workflows/ │ │ └── yamllint.bats │ ├── security/ │ │ ├── gitleaks.bats +│ │ ├── semgrep.bats │ │ └── trivy.bats │ └── helpers/ │ └── common.bash # shared test utilities (mocks, temp dirs) @@ -204,6 +208,7 @@ shellcheck: |---------|------|----------------| | `CI/security/gitleaks.yml` | [gitleaks](https://github.com/gitleaks/gitleaks) | Hardcoded secrets, tokens, and API keys | | `CI/security/trivy.yml` | [trivy](https://github.com/aquasecurity/trivy) | CVEs in OS packages, container images, and dependency manifests | +| `CI/security/semgrep.yml` | [semgrep](https://semgrep.dev) | OWASP Top 10 patterns and insecure coding patterns across Python, JS/TS, Go, Java, Ruby, and more | ### Linters