semgrep-ci.yml 990 Bytes
Newer Older
1
semgrep_check:
2

3
    image: docker-registry.wikimedia.org/${WM_APPSEC_SEMGREP_IMAGE}
4
    stage: test
5
6
    allow_failure: false # security-related job should not be allowed to fail
    
7
    variables:
8
9
10
11
12
13
14
15
16
17
18
19
20
21
        SEMGREP_OPTIONS: "--config=p/ci --config=/p/security-audit --metrics=off --time --verbose  --exclude=vendor --exclude=node_modules"

    before_script:
        - apt-get update -yqq && apt-get install -yqq git
        - python3 -m pip install --upgrade semgrep
        - | 
          # check if alternative npm audit options were specified calling gitlab-ci.yml file
          if [ ! -z ${WM_APPSEC_SEMGREP_OPTIONS} ]; then
            SEMGREP_OPTIONS=${WM_APPSEC_SEMGREP_OPTIONS}
          fi 

    # create a new package lock file, run auditjs
    script:
        - semgrep ${SEMGREP_OPTIONS}
22

23
  # optional artifact reports - not necessary for now
24
25
26
27
  # script: semgrep-agent --gitlab-json > gl-sast-report.json || true
  # artifacts:
  #   reports:
  #     sast: gl-sast-report.json