update CI (#567)

verygoodsecurity · Aug 25, 2023 · c984667 · c984667
1 parent 69d3fb2
commit c984667
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,5 +1,11 @@
 version: 2.1
 
+# === Scheduled Pipeline Parameters ===
+parameters:
+ nightly-security-scan:
+ type: boolean
+ default: false
+
 aliases:
  - &environment
  working_directory: ~/code
@@ -67,10 +73,66 @@ jobs:
  --device model=redfin,version=30,locale=en,orientation=portrait \
  --device model=bluejay,version=32,locale=en,orientation=portrait \
 
+ scan-sast-pr:
+ parameters:
+ default_branch:
+ type: string
+ default: master
+ environment:
+ SEMGREP_REPO_URL: << pipeline.project.git_url >>
+ SEMGREP_BRANCH: << pipeline.git.branch >>
+ SEMGREP_BASELINE_REF: << parameters.default_branch >>
+ docker:
+ - image: returntocorp/semgrep
+ steps:
+ - checkout
+ - run:
+ name: "Semgrep diff scan"
+ command: semgrep ci
+
+ scan-sast-full:
+ parameters:
+ default_branch:
+ type: string
+ default: master
+ environment:
+ SEMGREP_REPO_URL: << pipeline.project.git_url >>
+ SEMGREP_BRANCH: << pipeline.git.branch >>
+ docker:
+ - image: returntocorp/semgrep
+ steps:
+ - checkout
+ - run:
+ name: "Semgrep full scan"
+ command: semgrep ci
 workflows:
  main:
+ when:
+ not: << pipeline.parameters.nightly-security-scan >>
  jobs:
  - "Run_Unit_Test_And_Build"
+ - scan-sast-pr:
+ context:
+ - security-tools
+
+ - scan-sast-full:
+ filters:
+ # ignore any commit on any branch by default
+ branches:
+ ignore: /.*/
+ tags:
+ only:
+ - /production-.*/
+ context:
+ - security-tools
+
  - "Run_UI_Test":
  requires:
- - "Run_Unit_Test_And_Build"
+ - "Run_Unit_Test_And_Build"
+
+ scheduled-security-scan:
+ when: << pipeline.parameters.nightly-security-scan >>
+ jobs:
+ - scan-sast-full:
+ context:
+ - security-tools
diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1,21 @@
+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+.npm/
+
+# Common test paths
+test/
+tests/
+*_test.go
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/
diff --git a/.semgrepignore.py b/.semgrepignore.py
@@ -0,0 +1,21 @@
+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+.npm/
+
+# Common test paths
+test/
+tests/
+*_test.go
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/