semgrep-ci.yml 949 Bytes
Newer Older
1
semgrep_check:
2

3
    image: docker-registry.wikimedia.org/${WM_APPSEC_SEMGREP_IMAGE}
4
    stage: test
5
6
    allow_failure: false # security-related job should not be allowed to fail
    
7
    variables:
SBassett's avatar
SBassett committed
8
        SEMGREP_OPTIONS: "--metrics=off --time --exclude=vendor --exclude=node_modules --config=p/ci --config=p/security-audit"
9
10

    before_script:
11
        - apt-get update -yqq
12
        - python3 -m pip install semgrep
13
14
15
16
        - | 
          # check if alternative npm audit options were specified calling gitlab-ci.yml file
          if [ ! -z ${WM_APPSEC_SEMGREP_OPTIONS} ]; then
            SEMGREP_OPTIONS=${WM_APPSEC_SEMGREP_OPTIONS}
SBassett's avatar
SBassett committed
17
18
          fi
          
19
20
21
    # create a new package lock file, run auditjs
    script:
        - semgrep ${SEMGREP_OPTIONS}
22

23
  # optional artifact reports - not necessary for now
24
25
26
27
  # script: semgrep-agent --gitlab-json > gl-sast-report.json || true
  # artifacts:
  #   reports:
  #     sast: gl-sast-report.json