Skip to content

Configure Semgrep to run without authentication in CI#1908

Merged
ericcornelissen merged 1 commit intomainfrom
local-semgrep-scan
Mar 11, 2025
Merged

Configure Semgrep to run without authentication in CI#1908
ericcornelissen merged 1 commit intomainfrom
local-semgrep-scan

Conversation

@ericcornelissen
Copy link
Copy Markdown
Owner

@ericcornelissen ericcornelissen commented Mar 10, 2025

Relates to #734, #1000

Summary

Reconfigure the CI to run Semgrep without auth so that we can run it for all contributions and don't depend on the availability of the Semgrep servers.

@ericcornelissen ericcornelissen added the ci/cd Relates to ci/cd label Mar 10, 2025
@ericcornelissen
Try to configure Semgrep to run without auth in CI
ea53703 
so we can run it for all contributions and don't depend on the
availability of the Semgrep servers.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Mar 10, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@ericcornelissen
Copy link
Copy Markdown
Owner Author

ericcornelissen commented Mar 10, 2025
edited
Loading

Comparison of scan results between these changes and the current setup below. In summary, this change appears to move from Semgrep Pro to Semgrep OSS(/Community). This translates to fewer rules being applied (Pro rules 1296, though on a per-language basis the reduction in rules is quite a bit lower from 740 to 412) and the omission of known vulnerability scanning (SUPPLY CHAIN RULES). The former offers a trade-off (fewer rules vs. more accessible scans) that's worth it to me. The latter is really more of a nice-to-have as we have known vulnerability scanning in place regardless (the reachability analysis is cool, but given the rate of known vulnerabilities affecting this project of limited value).

Before

c4bf867


┌─────────────┐
│ Scan Status │
└─────────────┘
  Scanning 278 files tracked by git with 2357 Code rules, 4145 Supply Chain rules:
            
            
  CODE RULES
                                                                                                                        
  Language      Rules   Files          Origin      Rules                                                                
 ─────────────────────────────        ───────────────────                                                               
  <multilang>      49      90          Pro rules    1296                                                                
  js              321      32          Community    1061                                                                
  yaml             31      23                                                                                           
  json              4      10                                                                                           
  ts              331       3                                                                                           
  bash              4       3                                                                                           
                                                                                                                        
                    
  SUPPLY CHAIN RULES
                                                                                                                        
  Ecosystem   Rules   Files   Lockfiles                                                                                 
 ───────────────────────────────────────────────                                                                        
  Npm          4145      58   package-lock.json                                                                         
                                                                                                                        
                                                                                                                        
  Analysis       Rules                                                                                                  
 ──────────────────────                                                                                                 
  Basic           3519                                                                                                  
  Reachability     626                                                                                                  
                                                                                                                        
Semgrep Pro Engine may be slower and show different results than Semgrep OSS.
  Uploading scan results  
  Finalizing scan                         
                
┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 188 files matching --exclude patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

After

ea53703

┌─────────────┐
│ Scan Status │
└─────────────┘
  Scanning 277 files tracked by git with 1060 Code rules:
                                                                                                                        
  Language      Rules   Files          Origin      Rules                                                                
 ─────────────────────────────        ───────────────────                                                               
  <multilang>      49      94          Community    1060                                                                
  js              157      32                                                                                           
  yaml             31      22                                                                                           
  json              4      10                                                                                           
  ts              167       3                                                                                           
  bash              4       3                                                                                           
                                                                                                                        
                
                
┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 183 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

@ericcornelissen ericcornelissen marked this pull request as ready for review March 11, 2025 17:30
@ericcornelissen ericcornelissen merged commit fe884ef into main Mar 11, 2025
36 checks passed
@ericcornelissen ericcornelissen deleted the local-semgrep-scan branch March 11, 2025 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci/cd Relates to ci/cd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ericcornelissen @github-advanced-security