# Semgrep Action
[![r2c community slack](https://img.shields.io/badge/r2c_slack-join-brightgreen?style=for-the-badge&logo=slack&labelColor=4A154B)](https://join.slack.com/t/r2c-community/shared_invite/enQtNjU0NDYzMjAwODY4LWE3NTg1MGNhYTAwMzk5ZGRhMjQ2MzVhNGJiZjI1ZWQ0NjQ2YWI4ZGY3OGViMGJjNzA4ODQ3MjEzOWExNjZlNTA)
Semgrep Action is a wrapper around [Semgrep](https://github.com/returntocorp/semgrep) for running as a GitHub Action, in Gitlab, and in other CI providers and interfacing with [https://semgrep.dev](https://semgrep.dev).
It reviews only the changed files in pull requests with Semgrep whenever a new commit is added to them, and reports only issues that are newly introduced in that pull request.
## Usage
### In any environment
The project has deep integration with the CI environment of GitHub Actions and GitLab CI (see below),
but its more advanced features work anywhere if you pass a few environment variables.
To use Semgrep Action on the commandline with a default ruleset, use
```
semgrep-agent --config r/all
```
To run semgrep-agent with a customized policy of rules, email and slack notifications, and with any CI provider, use the following shell command
```
SEMGREP_REPO_URL="https://example.com/myrepo" SEMGREP_JOB_URL="https://example.com/myjob" semgrep-agent --publish-deployment=<your_deployment_id> --publish-token=<your_API_token>
```
Where the environment variables `SEMGREP_REPO_URL` and `SEMGREP_JOB_URL` are optional, but will enable more helpful notifications.
You can customize your policies, find `your_deployment_id`, and get `your_API_token` at <https://semgrep.dev/manage>
_Treat your API Token as a SECRET and do not store it in the clear!_ Save it as a secret environment variable instead.
### In GitHub
To start checking all pull requests,
add the following file at `.github/workflows/semgrep.yml`:
```yaml
name: Semgrep
on: [pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
name: Check
steps:
- uses: actions/checkout@v1
- name: Semgrep
id: semgrep
uses: returntocorp/semgrep-action@v1
with:
config: p/r2c
```
Note that the `p/r2c` config value
will enable a default set of checks from [our registry](https://semgrep.live/explore).
You will probably want to configure a specific set of checks instead.
See how to do that by setting up a project on <https://semgrep.dev/manage/projects>
#### Inline PR Comments
This integration supports leaving inline PR comments via the Semgrep App. To learn more, please see our [documentation](https://semgrep.dev/docs/integrations/#pull-request-comments).
## Configuration
### Selecting Rules
The `config` value lets you choose what rules and patterns semgrep should scan for.
You can set specify rules in one of the following ways:
- **semgrep.live registry ID**: `config: r/python.flask`
referring to a subset of the [semgrep.live registry](https://semgrep.live/r)
- **semgrep.live ruleset ID**: `config: p/r2c`
referring to a ruleset created on [semgrep.live's rulesets page](https://semgrep.live/rulesets)
- **semgrep.live snippet ID**: `config: s/xYz` or `config: s/john:named-rule`
referring to a rule published from the [semgrep.live editor](https://semgrep.live)
If `config` is unset,
the default behavior is to look for rules
in the `.semgrep.yml` file in your repo,
or load the rules from the `.semgrep` folder in your repo.
If none of these provide a configuration,
the action will fail.
### Ignoring Paths
You can commit a `.semgrepignore` file
to skip scanning specific paths,
using the same syntax as `.gitignore`.
If there's no `.semgrepignore` file in your repository,
we will use a default ignore list that skips common test and dependency directories,
including `tests/`, `node_modules/`, and `vendor/`.
You can find the full list in our [`.semgrepignore` template file](https://github.com/returntocorp/semgrep-action/blob/v1/src/semgrep_agent/templates/.semgrepignore).
To override these default ignore patterns,
commit your own `.semgrepignore`.
Note that `.semgrepignore` is picked up only by the action,
and will not be honored when running `semgrep` manually.
### Audit mode
If you want to see findings from your whole repo
instead of just the changed files that would be scanned
whenever a pull request comes in,
you'd normally set up scans on pushes to your main branch.
This can prove difficult when you already have existing issues
that Semgrep finds on the main branch
— you probably don't want CI to fail all builds on the main branch
until every single finding is addressed.
For this case, we recommend using audit mode.
In audit mode, Semgrep will collect findings data for you to review,
but will never fail the build due to findings.
To enable audit mode on pushes in GitHub Actions,
set the option `auditOn: push` in your workflow file.
On the command line, set the `--audit-on event_name` flag.
The most common event names on GitHub are `push` and `pull_request`.
In other cases, you can find the correct event name
in the first few lines of the agent's log output.
## Technical details
Semgrep-action scans files in the current directory with [semgrep](https://github.com/returntocorp/semgrep), and exits with a non-zero exit code if blocking issues are found.
Findings are blocking by default. They can be [set to non-blocking](https://github.com/returntocorp/semgrep-action/issues/34) by changing the action in semgrep.dev/manage/policy.
Semgrep-action has the option to report only new issues, added since a specific commit.
When run in a continuous integration (CI) pipeline, semgrep-action determines the base commit from [environment variables](https://github.com/returntocorp/semgrep-action/blob/develop/src/semgrep_agent/meta.py), as set by GitHub, GitLab, Travis or CircleCI. The base commit can also be passed on the command line using the option --baseline-ref.
Semgrep-action determines new issues by only [scanning modified files](https://github.com/returntocorp/semgrep-action/blob/develop/src/semgrep_agent/targets.py), and scanning twice. It scans the current commit, checks out the base commit and scans that, and removes previously existing findings from the scan result. When using a semgrep config file stored in the repository itself, the old commit is scanned using the old version of the config file. [Findings are compared](https://github.com/returntocorp/semgrep-action/blob/develop/src/semgrep_agent/findings.py) on identifier, file path, code and count. If the identifier of a rule is modified in the semgrep configuration, or if the file containing the issues is renamed, all findings are considered new. Changing code that is matched by a rule will thus result in a new finding, even though the finding was previously present and the change did not introduce it.
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md)
没有合适的资源?快使用搜索试试~ 我知道了~
semgrep-action:Semgrep的包装器,支持在Gitlab和其他CI提供程序中作为Github Action运行并...
共116个文件
err:27个
out:26个
py:18个
需积分: 19 2 下载量 82 浏览量
2021-04-10
06:53:40
上传
评论
收藏 98KB ZIP 举报
温馨提示
Semgrep动作 Semgrep Action是Semgrep的包装,作为GitHub Action在Gitlab和其他CI提供程序中运行,并与。 每当将新的提交添加到Semgrep时,它仅使用Semgrep审核拉请求中已更改的文件,并仅报告该拉请求中新引入的问题。 用法 在任何环境下 该项目与GitHub Actions和GitLab CI的CI环境进行了深度集成(请参见下文),但是如果您传递了一些环境变量,它的更高级功能将在任何地方起作用。 要在命令行上使用默认规则集使用Semgrep Action,请使用 semgrep-agent --config r/all 要使用规则,电子邮件和松弛通知的自定义策略以及任何CI提供程序运行semgrep-agent,请使用以下shell命令 SEMGREP_REPO_URL="https://example.com/myrepo" SE
资源详情
资源评论
资源推荐
收起资源包目录
semgrep-action:Semgrep的包装器,支持在Gitlab和其他CI提供程序中作为Github Action运行并与https接口 (116个子文件)
Dockerfile 1KB
.dockerignore 3KB
new-agent.err 898B
push-agent.err 859B
local-config-some-new-results-audit-mode.err 852B
local-config-some-new-results-github-env-json.err 795B
local-config-some-new-results-gitlab-env-json.err 790B
local-config-some-new-results-json.err 784B
local-config-some-new-results-gitlab-json.err 784B
local-config-some-new-results.err 784B
new-agent.err 755B
local-config-full-scan.err 736B
local-config-no-new-results.err 732B
empty-deployment-token-env.err 731B
disconnected-agent.err 721B
push-agent.err 721B
missing-deployment-token.err 709B
new-agent.err 699B
no-config.err 462B
missing-config.err 462B
empty-deployment-token-flag.err 51B
base-log.err 1B
base-log.err 1B
new-log.err 1B
base-log.err 1B
new-log.err 1B
base-log.err 1B
base-log.err 1B
base-log.err 1B
.gitignore 3KB
mypy.ini 833B
mypy-tests.ini 746B
gitlab_schema.json 13KB
LICENSE 52B
poetry.lock 21KB
Makefile 88B
README.md 7KB
CODE_OF_CONDUCT.md 3KB
PRIVACY.md 1KB
CONTRIBUTING.md 1KB
SECURITY.md 396B
README.md 214B
local-config-some-new-results-json.out 2KB
local-config-some-new-results-github-env-json.out 2KB
local-config-some-new-results-gitlab-env-json.out 2KB
local-config-some-new-results-gitlab-json.out 2KB
local-config-some-new-results-audit-mode.out 1019B
local-config-some-new-results.out 1019B
new-agent.out 576B
local-config-full-scan.out 372B
disconnected-agent.out 288B
push-agent.out 288B
push-agent.out 287B
new-agent.out 280B
new-log.out 249B
new-log.out 246B
base-log.out 119B
base-log.out 119B
base-log.out 119B
base-log.out 119B
base-log.out 119B
base-log.out 119B
new-agent.out 1B
local-config-no-new-results.out 1B
empty-deployment-token-env.out 1B
empty-deployment-token-flag.out 1B
missing-config.out 1B
missing-deployment-token.out 1B
targets.py 13KB
semgrep.py 12KB
meta.py 11KB
main.py 11KB
ignores.py 11KB
semgrep_app.py 8KB
findings.py 7KB
qa.py 7KB
utils.py 3KB
formatter.py 3KB
conftest.py 2KB
test_semgrep_app.py 2KB
test_gitlab_output.py 470B
__main__.py 310B
stupid.py 286B
exc.py 205B
constants.py 161B
__init__.py 0B
__init__.pyi 1KB
iterutils.pyi 694B
cacheutils.pyi 371B
__init__.pyi 234B
core.pyi 160B
strutils.pyi 155B
ecoutils.pyi 71B
contrib.pyi 37B
__init__.pyi 36B
__init__.pyi 0B
glom.pyi 0B
.semgrepignore 225B
pyproject.toml 663B
commands.yaml 3KB
共 116 条
- 1
- 2
止蚀
- 粉丝: 24
- 资源: 4508
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 6.1随机密码生成.py
- putty,linux客户端工具
- 丹佛丝堆垛机变频器参数配置起升、运行、货叉
- redhat-lsb-core,安装磐维数据库,安装oracle数据库等常用的依赖包
- lsb-release,安装磐维数据库,安装oracle数据库等常用的依赖包
- glibc-devel,安装磐维数据库,安装oracle数据库等常用的依赖包
- redhat-lsb-submit-security,安装磐维数据库,安装oracle数据库等常用的依赖包
- 可以在mac下开发的微雪esp32触摸屏开发板的支持包
- redhat-lsb-core,安装磐维数据库,安装oracle数据库等常用的依赖包
- redhat-lsb-core,安装磐维数据库,安装oracle数据库等常用的依赖包
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0