From 5a760b49f810533c179bf187b8400622f76a0f16 Mon Sep 17 00:00:00 2001 From: Giuseppe Scuglia Date: Thu, 19 Dec 2024 15:55:24 +0100 Subject: [PATCH] Semgrep pre-commit hook --- .../github/semgrep_secrets_scanning.test.yaml | 13 +++++ .../correct/.pre-commit-config.yaml | 13 +++++ .../misconfigured/.pre-commit-config.yaml | 9 ++++ .../github/semgrep_secrets_scanning.yaml | 53 +++++++++++++++++++ 4 files changed, 88 insertions(+) create mode 100644 rule-types/github/semgrep_secrets_scanning.test.yaml create mode 100644 rule-types/github/semgrep_secrets_scanning.testdata/correct/.pre-commit-config.yaml create mode 100644 rule-types/github/semgrep_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml create mode 100644 rule-types/github/semgrep_secrets_scanning.yaml diff --git a/rule-types/github/semgrep_secrets_scanning.test.yaml b/rule-types/github/semgrep_secrets_scanning.test.yaml new file mode 100644 index 0000000..4e0c7dc --- /dev/null +++ b/rule-types/github/semgrep_secrets_scanning.test.yaml @@ -0,0 +1,13 @@ +tests: + - name: "Should have Semgrep pre-commit hook configured" + def: {} + params: {} + expect: "pass" + git: + repo_base: correct + - name: "Should fail Semgrep pre-commit hook is not configured" + def: {} + params: {} + expect: "fail" + git: + repo_base: misconfigured diff --git a/rule-types/github/semgrep_secrets_scanning.testdata/correct/.pre-commit-config.yaml b/rule-types/github/semgrep_secrets_scanning.testdata/correct/.pre-commit-config.yaml new file mode 100644 index 0000000..ced58d9 --- /dev/null +++ b/rule-types/github/semgrep_secrets_scanning.testdata/correct/.pre-commit-config.yaml @@ -0,0 +1,13 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + args: ['--maxkb=600'] +- repo: https://github.com/semgrep/pre-commit + rev: 'v1.101.0' + hooks: + - id: semgrep diff --git a/rule-types/github/semgrep_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml b/rule-types/github/semgrep_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml new file mode 100644 index 0000000..98d3157 --- /dev/null +++ b/rule-types/github/semgrep_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml @@ -0,0 +1,9 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + args: ['--maxkb=600'] diff --git a/rule-types/github/semgrep_secrets_scanning.yaml b/rule-types/github/semgrep_secrets_scanning.yaml new file mode 100644 index 0000000..55808c4 --- /dev/null +++ b/rule-types/github/semgrep_secrets_scanning.yaml @@ -0,0 +1,53 @@ +--- +version: v1 +release_phase: alpha +type: rule-type +name: semgrep_secrets_scanning +display_name: Enable Semgrep Pre-commit hooks for detecting secrets +short_failure_message: Semgrep Pre-commit hook is not configured for the repository +severity: + value: medium +context: {} +description: | + Verifies that Semgrep Pre-commit hook is configured via a GitHub action for the repository, and remediate +guidance: | + Likewise, you can configure a hook to run a semgrep scan with the semgrep hook. As an example, the following configuration would scan the files to be committed with a specified config, skipping files with unknown extensions. + For more information, see the [Semgrep Pre-commit](https://semgrep.dev/docs/secure-guardrails/secure-guardrails-in-semgrep) documentation. +def: + in_entity: repository + rule_schema: + type: object + properties: {} + ingest: + type: git + git: {} + eval: + type: rego + rego: + type: deny-by-default + def: | + package minder + import future.keywords.if + import future.keywords.every + + default message := "Semgrep pre-commit hook is not configured for the repository" + default allow := false + + + # pre-commit hook + precommit := file.read(".pre-commit-config.yaml") + + parsed_data := parse_yaml(precommit) + + allow if { + some repo_id, hook_id + repo_data := parsed_data.repos[repo_id] + endswith(repo_data["repo"], "https://github.com/semgrep/pre-commit") + semgrep_hooks = repo_data["hooks"] + semgrep_hooks[hook_id].id == "semgrep" + } + + message := "" if allow + alert: + type: security_advisory + security_advisory: {} \ No newline at end of file