-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to semgrep-agent #4430
Migrate to semgrep-agent #4430
Conversation
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
There are a couple issues the r2c folks need to fix before we can get a clean build. Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Signed-off-by: michael sorens <msorens@chef.io>
Deploy preview for chef-automate ready! Built with commit c496f36 |
"/go/src/github.com/chef/automate" | ||
] | ||
|
||
- label: ":semgrep: Published" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to move to the private pipeline to be able to provide token and id.
SEMGREP_IGNORE := --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go | ||
SEMGREP_CONFIG := https://semgrep.dev/p/r2c-ci |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR bonus: Eliminate lots of duplication
@@ -50,13 +54,13 @@ spell: | |||
# NB: "third_party" only exists for automate-gateway, but no harm having it for other dirs here. | |||
semgrep: | |||
# uncomment if custom rules beyond automate-ui ever get added | |||
# semgrep --config $(REPOROOT)/semgrep --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go | |||
semgrep --config https://semgrep.dev/p/r2c-ci --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go | |||
# semgrep --config $(REPOROOT)/.semgrep $(SEMGREP_IGNORE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Directory change (semgrep to .semgrep) per semgrep convention.
Signed-off-by: michael sorens <msorens@chef.io>
3301847
to
c496f36
Compare
🔩 Description: What code changed, and why?
Semgrep provides an eponymous command line tool, which is great for ad hoc use and is made available through several Makefiles as
make semgrep
andmake semgrep-and-fix
.For CI purposes, though, it is preferred to hook into the semgrep agent, as it provides ruleset configuration from a web dashboard (and eventually will provide historical and statistical information as well). This PR moves the CI use from
semgrep
tosemgrep-agent
.Also, for the time being, the buildkite task is being set to not fail the build when errors are flagged, until we are at least able to pin the version of semgrep-agent (also coming soon). That removes the risk of asynchronous semgrep changes causing problems in our build.
The dashboard is available at https://semgrep.dev/manage/. Any Chef login should have access to it.
⛓️ Related Resources
NA
👍 Definition of Done
(A) PR builds do not fail when semgrep fails (currently semgrep is failing due to an issue from the vendor, so you can see this in the buildkite details).
(B) When a PR builds it is reflected in the semgrep dashboard summary (the dashboard is showing only the very latest build, and it has no details, just the summary line; more coming soon...).
👟 How to Build and Test the Change
Open a pull request; you should see the buildkite item fail...
... and the time on the dashboard should say something like "a minute ago" if you look promptly after buildkite finishes.
✅ Checklist