diff --git a/assets/reviewdog/cmd/brakeman.sh b/assets/reviewdog/cmd/brakeman.sh
new file mode 100755
index 00000000..88771c0a
--- /dev/null
+++ b/assets/reviewdog/cmd/brakeman.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+if command -v gxargs > /dev/null; then
+ alias xargs=gxargs
+fi
+(if xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt | grep -q '\.rb$'; then
+ bundle exec brakeman --quiet \
+ --no-exit-on-warn \
+ --no-exit-on-error \
+ --skip-files vendor/ \
+ --skip-libs \
+ --force \
+ --format json |
+ jq -r '.warnings[] | "\(.confidence[0:1]):\(.file):\(.line) \(.message | sub("\n";"
";"g"))
Source: \(.link)"' |
+ $SCRIPTPATH/cleaner.rb
+fi) 2>reviewdog.brakeman.stderr.log >reviewdog.brakeman.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.brakeman.stderr.log
+ cat reviewdog.brakeman.log
+else
+ cat reviewdog.brakeman.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/cmd/npm-audit.sh b/assets/reviewdog/cmd/npm-audit.sh
new file mode 100755
index 00000000..9a15f357
--- /dev/null
+++ b/assets/reviewdog/cmd/npm-audit.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+if command -v gxargs > /dev/null; then
+ alias xargs=gxargs
+fi
+(python3 $SCRIPTPATH/npm-audit.py |
+ $SCRIPTPATH/cleaner.rb) 2>reviewdog.npm-audit.stderr.log >reviewdog.npm-audit.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.npm-audit.stderr.log
+ cat reviewdog.npm-audit.log
+else
+ cat reviewdog.npm-audit.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/cmd/pip-audit.sh b/assets/reviewdog/cmd/pip-audit.sh
new file mode 100755
index 00000000..8ecc5525
--- /dev/null
+++ b/assets/reviewdog/cmd/pip-audit.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+if command -v gxargs > /dev/null; then
+ alias xargs=gxargs
+fi
+(python3 $SCRIPTPATH/pip-audit.py |
+ $SCRIPTPATH/cleaner.rb) 2>reviewdog.pip-audit.stderr.log >reviewdog.pip-audit.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.pip-audit.stderr.log
+ cat reviewdog.pip-audit.log
+else
+ cat reviewdog.pip-audit.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/cmd/safesvg.sh b/assets/reviewdog/cmd/safesvg.sh
new file mode 100755
index 00000000..9b0d8701
--- /dev/null
+++ b/assets/reviewdog/cmd/safesvg.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+# if gxargs is defined define xargs alias
+if command -v gxargs > /dev/null; then
+ alias xargs=gxargs
+fi
+(xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt $SCRIPTPATH/xmllint.sh |
+ $SCRIPTPATH/cleaner.rb --svgo) 2>reviewdog.safesvg.stderr.log >reviewdog.safesvg.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.safesvg.stderr.log
+ cat reviewdog.safesvg.log
+else
+ cat reviewdog.safesvg.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/cmd/semgrep.sh b/assets/reviewdog/cmd/semgrep.sh
new file mode 100755
index 00000000..bea7707e
--- /dev/null
+++ b/assets/reviewdog/cmd/semgrep.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+(semgrep \
+ -c $SCRIPTPATH/semgrep_rules/generated/oss/vulns.yaml \
+ -c $SCRIPTPATH/semgrep_rules/generated/nonfree/vulns.yaml \
+ -c $SCRIPTPATH/semgrep_rules/generated/oss/audit.yaml \
+ -c $SCRIPTPATH/semgrep_rules/generated/nonfree/audit.yaml \
+ $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name "*.test.yml" -not -name "*.test.yaml" -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
+ --metrics=off \
+ --quiet \
+ $([ -n "${GITHUB_BASE_REF+set}" ] && echo "--baseline-commit origin/${GITHUB_BASE_REF:-main}") \
+ --json |
+ jq -r '.results[] | "\(.extra.severity[0:1]):\(.path):\(.end.line) \(.extra.message | sub("\n";"
";"g"))
Source: \(.extra.metadata.source)
,\(if .extra.metadata.assignees then .extra.metadata.assignees else "null" end | sub("\n";" ";"g"))"' |
+ $SCRIPTPATH/cleaner.rb --semgrep --assignees) 2>reviewdog.semgrep.stderr.log >reviewdog.semgrep.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.semgrep.stderr.log
+ cat reviewdog.semgrep.log
+else
+ cat reviewdog.semgrep.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/cmd/sveltegrep.sh b/assets/reviewdog/cmd/sveltegrep.sh
new file mode 100755
index 00000000..338baf47
--- /dev/null
+++ b/assets/reviewdog/cmd/sveltegrep.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+set -e
+(python3 $SCRIPTPATH/scripttagextractor.py \
+ --suffix .extractedscript.js \
+ --ignore-no-files \
+ --all-changed-files-suffix .html &&
+ python3 $SCRIPTPATH/scripttagextractor.py \
+ --add-suffix-to-original .extractedscript.html \
+ --suffix .extractedscript.ts \
+ --ignore-no-files \
+ --all-changed-files-suffix .svelte &&
+ semgrep \
+ -c $SCRIPTPATH/semgrep_rules/generated/oss/vulns.yaml \
+ -c $SCRIPTPATH/semgrep_rules/generated/nonfree/vulns.yaml \
+ -c $SCRIPTPATH/semgrep_rules/generated/oss/audit.yaml \
+ -c $SCRIPTPATH/semgrep_rules/generated/nonfree/audit.yaml \
+ $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name "*.test.yml" -not -name "*.test.yaml" -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
+ --metrics=off \
+ --json \
+ --quiet \
+ --no-git-ignore \
+ '--include=*.extractedscript.ts' \
+ '--include=*.extractedscript.js' \
+ '--include=*.extractedscript.html' \
+ ./ |
+ jq -r '.results[] | "\(.extra.severity[0:1]):\(.path):\(.end.line) \(.extra.message | sub("\n";"
";"g"))
Source: \(.extra.metadata.source)
,\(if .extra.metadata.assignees then .extra.metadata.assignees else "null" end | sub("\n";" ";"g"))"' |
+ $SCRIPTPATH/cleaner.rb --assignees --sveltegrep &&
+ find . -type f -name '*.extractedscript.*' -delete) 2>reviewdog.sveltegrep.stderr.log >reviewdog.sveltegrep.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.sveltegrep.stderr.log
+ cat reviewdog.sveltegrep.log
+else
+ cat reviewdog.sveltegrep.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/cmd/tfsec.sh b/assets/reviewdog/cmd/tfsec.sh
new file mode 100755
index 00000000..d3a96ce5
--- /dev/null
+++ b/assets/reviewdog/cmd/tfsec.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+if command -v gxargs > /dev/null; then
+ alias xargs=gxargs
+fi
+(xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt | grep '\.tf$' | xargs -r -d '\n' dirname | sort -u |
+ xargs -r -d '\n' $SCRIPTPATH/tfsec.sh |
+ jq -r '.diagnostics[] | "\(.severity[0:1]):\(.location.path):\(.location.range.start.line) \(.message | sub("\n";"
";"g"))
source: \(.code.url)
"' |
+ $SCRIPTPATH/cleaner.rb) 2>reviewdog.tfsec.stderr.log >reviewdog.tfsec.log
+
+# check if we are running in REVIEWDOG_MODE, if not print stderr and output, otherwise only stout
+if [ -z "$REVIEWDOG_MODE" ]; then
+ cat reviewdog.tfsec.stderr.log
+ cat reviewdog.tfsec.log
+else
+ cat reviewdog.tfsec.log
+fi
\ No newline at end of file
diff --git a/assets/reviewdog/reviewdog.yml b/assets/reviewdog/reviewdog.yml
index 7b97b073..a95bb56a 100644
--- a/assets/reviewdog/reviewdog.yml
+++ b/assets/reviewdog/reviewdog.yml
@@ -1,102 +1,36 @@
runner:
semgrep:
name: semgrep
- cmd: |
- set -e
- (semgrep \
- -c $SCRIPTPATH/semgrep_rules/generated/oss/vulns.yaml \
- -c $SCRIPTPATH/semgrep_rules/generated/nonfree/vulns.yaml \
- -c $SCRIPTPATH/semgrep_rules/generated/oss/audit.yaml \
- -c $SCRIPTPATH/semgrep_rules/generated/nonfree/audit.yaml \
- $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name "*.test.yml" -not -name "*.test.yaml" -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
- --metrics=off \
- --quiet \
- $([ -n "${GITHUB_BASE_REF+set}" ] && echo "--baseline-commit origin/${GITHUB_BASE_REF:-main}") \
- --json \
- | jq -r '.results[] | "\(.extra.severity[0:1]):\(.path):\(.end.line) \(.extra.message | sub("\n";"
";"g"))
Source: \(.extra.metadata.source)
,\(if .extra.metadata.assignees then .extra.metadata.assignees else "null" end | sub("\n";" ";"g"))"' \
- | $SCRIPTPATH/cleaner.rb --semgrep --assignees) 2> reviewdog.semgrep.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/semgrep.sh
errorformat:
- "%t:%f:%l %m"
sveltegrep:
name: sveltegrep
- cmd: |
- set -e
- (python3 $SCRIPTPATH/scripttagextractor.py \
- --suffix .extractedscript.js \
- --ignore-no-files \
- --all-changed-files-suffix .html && \
- python3 $SCRIPTPATH/scripttagextractor.py \
- --add-suffix-to-original .extractedscript.html \
- --suffix .extractedscript.ts \
- --ignore-no-files \
- --all-changed-files-suffix .svelte && \
- semgrep \
- -c $SCRIPTPATH/semgrep_rules/generated/oss/vulns.yaml \
- -c $SCRIPTPATH/semgrep_rules/generated/nonfree/vulns.yaml \
- -c $SCRIPTPATH/semgrep_rules/generated/oss/audit.yaml \
- -c $SCRIPTPATH/semgrep_rules/generated/nonfree/audit.yaml \
- $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name "*.test.yml" -not -name "*.test.yaml" -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
- --metrics=off \
- --json \
- --quiet \
- --no-git-ignore \
- '--include=*.extractedscript.ts' \
- '--include=*.extractedscript.js' \
- '--include=*.extractedscript.html' \
- ./ \
- | jq -r '.results[] | "\(.extra.severity[0:1]):\(.path):\(.end.line) \(.extra.message | sub("\n";"
";"g"))
Source: \(.extra.metadata.source)
,\(if .extra.metadata.assignees then .extra.metadata.assignees else "null" end | sub("\n";" ";"g"))"' \
- | $SCRIPTPATH/cleaner.rb --assignees --sveltegrep && \
- find . -type f -name '*.extractedscript.*' -delete) 2> reviewdog.sveltegrep.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/sveltegrep.sh
errorformat:
- "%t:%f:%l %m"
safesvg:
name: safesvg
- cmd: |
- set -e
- (xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt $SCRIPTPATH/xmllint.sh \
- | $SCRIPTPATH/cleaner.rb --svgo) 2> reviewdog.safesvg.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/savesvg.sh
errorformat:
- "%f:%l: %m"
tfsec:
name: tfsec
- cmd: |
- set -e
- (xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt | grep '\.tf$' | xargs -r -d '\n' dirname | sort -u \
- | xargs -r -d '\n' $SCRIPTPATH/tfsec.sh \
- | jq -r '.diagnostics[] | "\(.severity[0:1]):\(.location.path):\(.location.range.start.line) \(.message | sub("\n";"
";"g"))
source: \(.code.url)
"' \
- | $SCRIPTPATH/cleaner.rb) 2> reviewdog.tfsec.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/tfsec.sh
errorformat:
- "%t:%f:%l %m"
brakeman:
name: brakeman
- cmd: |
- set -e
- (if xargs -0 -n1 -a $SCRIPTPATH/all_changed_files.txt | grep -q '\.rb$'; then
- bundle exec brakeman --quiet \
- --no-exit-on-warn \
- --no-exit-on-error \
- --skip-files vendor/ \
- --skip-libs \
- --force \
- --format json \
- | jq -r '.warnings[] | "\(.confidence[0:1]):\(.file):\(.line) \(.message | sub("\n";"
";"g"))
Source: \(.link)"' \
- | $SCRIPTPATH/cleaner.rb
- fi) 2> reviewdog.brakeman.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/brakeman.sh
errorformat:
- "%t:%f:%l %m"
npm-audit:
name: npm-audit
- cmd: |
- set -e
- (python3 $SCRIPTPATH/npm-audit.py \
- | $SCRIPTPATH/cleaner.rb) 2> reviewdog.npm-audit.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/npm-audit.sh
errorformat:
- "%t:%f:%l %m"
pip-audit:
name: pip-audit
- cmd: |
- set -e
- (python3 $SCRIPTPATH/pip-audit.py \
- | $SCRIPTPATH/cleaner.rb) 2> reviewdog.pip-audit.stderr.log
+ cmd: REVIEWDOG_MODE=1 $SCRIPTPATH/reviewdog/cmd/pip-audit.sh
errorformat:
- "%t:%f:%l %m"