Together we're going to see how we can quickly and easily set up continuous code scanning using Semgrep, an open source, lightweight static analysis tool.
We'll see how Semgrep's out-of-the-box rules can find and block a broad variety of vulnerabilities and enforce secure guardrails (also called "paved road" or "secure defaults").
We'll use the awesome OWASP Juice Shop project as the repo we'll scan, and we'll use GitHub Actions to scan every Pull Request (PR).
How This Lab Works
Basically, at each stage you'll be provided with some information, either as a GitHub issue, PR, or a comment on one of those.
Then, there'll be an β¨οΈ Activity section at the bottom, that has you complete some concrete steps, either in this repo (like editing files, opening or closing PRs or Issues) or on Semgrep-related sites (e.g writing new rules, setting up and configuring your dashboard, etc.).
After you complete the steps in the Activity section, the bot will either autodetect what you've done and move you to the next step, or perhaps respond to a comment we ask you to write.
π‘ Important Notes
If at any point throughout this lab you're not seeing a bot response or scan update that you'd expect to, try refreshing the page, sometimes things get in a wonky state.
β¨οΈ Activity: See Docs Links
We created a new Issue with useful documentation for you to review if you get stuck. Give it a quick skim.
Comment on this issue and the bot will respond with next steps π
I'll respond in this pull request when I detect a comment posted to it.
Welcome!
I'm excited you're here! π
Together we're going to see how we can quickly and easily set up continuous code scanning using Semgrep, an open source, lightweight static analysis tool.
We'll see how Semgrep's out-of-the-box rules can find and block a broad variety of vulnerabilities and enforce secure guardrails (also called "paved road" or "secure defaults").
We'll use the awesome OWASP Juice Shop project as the repo we'll scan, and we'll use GitHub Actions to scan every Pull Request (PR).
How This Lab Works
Basically, at each stage you'll be provided with some information, either as a GitHub issue, PR, or a comment on one of those.
Then, there'll be an
β¨οΈ Activitysection at the bottom, that has you complete some concrete steps, either in this repo (like editing files, opening or closing PRs or Issues) or on Semgrep-related sites (e.g writing new rules, setting up and configuring your dashboard, etc.).After you complete the steps in the Activity section, the bot will either autodetect what you've done and move you to the next step, or perhaps respond to a comment we ask you to write.
π‘ Important Notes
If at any point throughout this lab you're not seeing a bot response or scan update that you'd expect to, try refreshing the page, sometimes things get in a wonky state.
β¨οΈ Activity: See Docs Links
I'll respond in this pull request when I detect a comment posted to it.