Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate to semgrep-agent #4430

Closed
wants to merge 10 commits into from
Closed

Migrate to semgrep-agent #4430

wants to merge 10 commits into from

Conversation

msorens
Copy link
Contributor

@msorens msorens commented Nov 8, 2020

🔩 Description: What code changed, and why?

Semgrep provides an eponymous command line tool, which is great for ad hoc use and is made available through several Makefiles as make semgrep and make semgrep-and-fix.
For CI purposes, though, it is preferred to hook into the semgrep agent, as it provides ruleset configuration from a web dashboard (and eventually will provide historical and statistical information as well). This PR moves the CI use from semgrep to semgrep-agent.

Also, for the time being, the buildkite task is being set to not fail the build when errors are flagged, until we are at least able to pin the version of semgrep-agent (also coming soon). That removes the risk of asynchronous semgrep changes causing problems in our build.

The dashboard is available at https://semgrep.dev/manage/. Any Chef login should have access to it.
image

⛓️ Related Resources

NA

👍 Definition of Done

(A) PR builds do not fail when semgrep fails (currently semgrep is failing due to an issue from the vendor, so you can see this in the buildkite details).
(B) When a PR builds it is reflected in the semgrep dashboard summary (the dashboard is showing only the very latest build, and it has no details, just the summary line; more coming soon...).

👟 How to Build and Test the Change

Open a pull request; you should see the buildkite item fail...
image

... and the time on the dashboard should say something like "a minute ago" if you look promptly after buildkite finishes.

✅ Checklist

Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
There are a couple issues the r2c folks need
to fix before we can get a clean build.

Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
@netlify
Copy link

netlify bot commented Nov 8, 2020

Deploy preview for chef-automate ready!

Built with commit c496f36

https://deploy-preview-4430--chef-automate.netlify.app

@msorens msorens self-assigned this Nov 8, 2020
@msorens msorens changed the title Ms/semgrep agent Migrate to semgrep-agent Nov 8, 2020
"/go/src/github.com/chef/automate"
]

- label: ":semgrep: Published"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to move to the private pipeline to be able to provide token and id.

Comment on lines +24 to +25
SEMGREP_IGNORE := --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go
SEMGREP_CONFIG := https://semgrep.dev/p/r2c-ci
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR bonus: Eliminate lots of duplication

@@ -50,13 +54,13 @@ spell:
# NB: "third_party" only exists for automate-gateway, but no harm having it for other dirs here.
semgrep:
# uncomment if custom rules beyond automate-ui ever get added
# semgrep --config $(REPOROOT)/semgrep --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go
semgrep --config https://semgrep.dev/p/r2c-ci --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go
# semgrep --config $(REPOROOT)/.semgrep $(SEMGREP_IGNORE)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Directory change (semgrep to .semgrep) per semgrep convention.

Signed-off-by: michael sorens <msorens@chef.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant