Integrate SEMGREP into CI/CD

What is Semgrep?

Semgrep is a very popular open-source security scanning tool for the many languages, secrets, infrastructure-as-code, and other checks.  Semgrep is good for finding common coding errors.

Security Stage SAST (Static code analysis)
Type Open Source
Languages Java, Python, C#, Java/TypeScript, YAML, Docker, CloudFormation, Kubernetes, Terraform, Scala, Ruby, Go, and more
Site https://semgrep.dev/ 

 

Pre-requisite

1 You'll need a Git address to scan

 

How do I set it up?

Adding Semgrep to your set of security tests is simple.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

EditStage

  • Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SASTSetup-1

  • Click Save.

  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'Semgrep' as a tool.

semgrep

  • When adding the Semgrep tool, you can choose a number of Semgrep rules to run (up to 10).  Note that no 'Connection Name' is needed for Semgrep, so ignore this setting.

semgrepconfig

  • Click Save.

Now any time you click 'Test Now' and select your ToolKit that includes Semgrep, or make a request over the Uleska API or CLI including that ToolKit, the Semgrep tool will be included in the test run and any results added to your vulnerabilities list.

Notes

Configuration for profiles, test IDs, and levels are not currently supported but will be included in a future release.