splunk · ryanfaircloth · Apr 6, 2021 · Dec 18, 2020 · Jan 21, 2021 · Feb 11, 2021
@@ -63,6 +63,44 @@ jobs:
           name: Install Tools
           command: |
             pip install /tmp/workspace/dist/* --use-deprecated=legacy-resolver
+
+  semgrep:
+    environment:
+        SEMGREP_REPO_URL: << pipeline.project.git_url >>
+        SEMGREP_BRANCH: << pipeline.git.branch >>
+    docker:
+      - image: returntocorp/semgrep-agent:v1
+        user: root
+    resource_class: large
+    steps:
+      - checkout
+      - run:
+          name: "Install Dependencies"
+          command: |
+            pip3 install --upgrade semgrep
+      - run:
+          name: "Semgrep Scan"
+          no_output_timeout: 2h
+          command: |
+            export SEMGREP_REPO_NAME=splunk/${CIRCLE_PROJECT_REPONAME}
+            python -m semgrep_agent --publish-deployment ${SEMGREP_DEPLOYMENT_ID} --publish-token ${SEMGREP_PUBLISH_TOKEN}
+            # Generate the Semgrep Dashboard URL
+            export REPO_BRANCH=$(echo "<< pipeline.git.branch >>")
+            DASHBOARD_URL=$(python3 -c "from urllib.parse import quote; import os; print('https://semgrep.dev/manage/findings?repo=' + quote(os.environ['SEMGREP_REPO_NAME'], safe='') + '&tab=findings&ref_type=branch&ref=' + quote(os.environ['REPO_BRANCH'], safe=''))")
+            echo "View Result at Semgrep Dashboard: $DASHBOARD_URL"
+
+            # Semgrep Exclude files
+            dos2unix .semgrepignore
+            SEMGREP_EXCLUDE=$(sed "/^#/d" .semgrepignore | sed "/^:/d" | sed -r '/^\s*$/d' | sed ':a;N;$!ba;s/\n/ --exclude /g')
+            echo "Excluding Semgrep Files: --exclude $SEMGREP_EXCLUDE"
+            # Generate xml file
+            semgrep --config="p/r2c-ci" --config="p/r2c-security-audit" --config="p/bandit" --error --strict --timeout=0 --junit-xml -o /root/project/test-results/semgrep-scan.xml --exclude $SEMGREP_EXCLUDE     
+      - store_artifacts:
+          path: test-results
+          destination: test-results
+      - store_test_results:
+          path: test-results
+
   release:
     docker:
       - image: circleci/node:12
@@ -124,6 +162,12 @@ workflows:
   build_test:
     jobs:
       - build
+      - semgrep:
+          context:
+            - gdi-semgrep      
+          filters:
+            branches:
+              only: /.*/
       - test:
           requires:
             - build

@@ -0,0 +1,30 @@
+## Default semgrep ignore
+# Ignore git items
+.gitignore
+.git/
+:include .gitignore
+
+# Common large directories
+node_modules/
+build/
+dist/
+vendor/
+env/
+.env/
+venv/
+.venv/
+*.min.js
+
+# Common test directories
+test/
+tests/
+
+# Semgrep rules folder
+.semgrep
+
+## Additional files to be ignored
+.circleci/
+.github/
+.reuse/
+.vscode/
+.idea/
@@ -61,7 +61,7 @@ reuse = "*"
 
 [tool.poetry.dev-dependencies]
 pytest = "^6.0"
-pytest-splunk-addon = { version = "^1.3", extras = [ "docker" ] }
+pytest-splunk-addon = { version = "^1.6", extras = [ "docker" ] }
 poetry-dynamic-versioning = "^0.12"
 
 [tool.poetry-dynamic-versioning]
+42 −0		.github/workflows/sc4s_matrix.yml
+42 −0		.github/workflows/splunk_matrix.yml
+12 −3		README.md
+3 −0		SC4S_matrix.conf
+14 −4		packages/all/common/addonfactory_indexes/default/indexes.conf
+3 −0		requirements.txt
+61 −0		sc4s_sync.sh
+12 −9		splunk_matrix.conf
+93 −0		splunk_matrix_update.py
+44 −0		splunk_sync.sh