search

luizfreche / intro-to-semgrep

https://lab.github.com/returntocorp/intro-to-semgrep
MIT License
0 stars 0 forks source link

Welcome to Semgrep! #1

Closed github-learning-lab[bot] closed 3 years ago

github-learning-lab[bot] commented 3 years ago

Welcome!

I'm excited you're here! πŸ‘‹

Together we're going to see how we can quickly and easily set up continuous code scanning using Semgrep, an open source, lightweight static analysis tool.

We'll see how Semgrep's out-of-the-box rules can find and block a broad variety of vulnerabilities and enforce secure guardrails (also called "paved road" or "secure defaults").

We'll use the awesome OWASP Juice Shop project as the repo we'll scan, and we'll use GitHub Actions to scan every Pull Request (PR).

How This Lab Works

Basically, at each stage you'll be provided with some information, either as a GitHub issue, PR, or a comment on one of those.

Then, there'll be an ⌨️ Activity section at the bottom, that has you complete some concrete steps, either in this repo (like editing files, opening or closing PRs or Issues) or on Semgrep-related sites (e.g writing new rules, setting up and configuring your dashboard, etc.).

After you complete the steps in the Activity section, the bot will either autodetect what you've done and move you to the next step, or perhaps respond to a comment we ask you to write.

πŸ’‘ Important Notes

If at any point throughout this lab you're not seeing a bot response or scan update that you'd expect to, try refreshing the page, sometimes things get in a wonky state.

⌨️ Activity: See Docs Links

  1. We created a new Issue with useful documentation for you to review if you get stuck. Give it a quick skim.
  2. Comment on this issue and the bot will respond with next steps πŸš€

I'll respond in this pull request when I detect a comment posted to it.

luizfreche commented 3 years ago

...

github-learning-lab[bot] commented 3 years ago

Getting Started

Alright, first we'll do a few quick things to get you up and running.

At a high level, here's what we're going to do:

Join the r2c Community Slack - There's a channel for this workshop you can ask questions in, and we'll use it to set up notifications when Semgrep finds issues.

Create a free Semgrep App account - This lets us easily manage Semgrep in CI, set up notifications, configure scanning policy, view results over time, and more.

⌨️ Activity: Create a Dashboard Account, Set up Slack Notifications

  1. Join a Slack channel that allows you to add webhook notifications, or create a new Slack instance if you don't have one available.
  2. Log in to the Semgrep Dashboard.
  3. Set up Slack Notifications.
    1. Visit the Slack App Directory (https://your_slacks_name.slack.com/apps), search "Incoming WebHooks", and in "Post to Channel" choose your name. This way, all notifications are going to be sent to you via direct message.
    2. Copy the "Webhook URL" generated on the next page (it should look like: https://hooks.slack.com/services/...) and go to the Semgrep Integrations page (you may need to click on "Integrations" in the left hand side navbar), create a new integration, select "Slack", provide a name, paste in the webhook url, then save it.
    3. Click the "Test" button, and you should see a message from Semgrep in Slack.
    4. See the Slack integration docs for additional details.
  4. Now, on the Semgrep Policies page, click on each policy, go to Settings -> Integrations -> Add, select the Slack notification you set up, and click "Save".

Feel free to join the r2c community Slack and ask questions in #general or #workshop-2021-owasp-devslop if anything is unclear.

Comment on this pull request when you're ready and I'll respond with the next step.

luizfreche commented 3 years ago

;;;

github-learning-lab[bot] commented 3 years ago

Great! Now we're going to set up Semgrep scanning every PR via GitHub actions by creating a semgrep.yml.

Though we're going to be using GitHub Actions in this workshop, because Semgrep is nice and portable, easily runnable as a standalone binary or Docker, it's pretty easy to set up Semgrep in pretty much any CI platform under the sun.

See these docs for info about setting up Semgrep in GitLab, Buildkit, CircleCI, or other providers, and see here for more info about Semgrep in CI.

⌨️ Activity: Set up Semgrep in CI

  1. On the Projects page, select the "Add CI job to GitHub project" option, and click the "Get started" button.
    1. Semgrep's GitHub App is going to ask for a few, minimal permissions so it can auto-set things up for you (create a PR adding semgrep.yml to repos you want to onboard, etc.).
    2. If you want, you can only add the Semgrep GitHub App to this intro-to-semgrep repo. If you want to add more repos, you select "All repositories" or hand select a few more. You can always update this later via your GitHub profile Installed Applications settings.
  2. After you've authorized the Semgrep GitHub App, navigate back to the Projects page, click the "Refresh projects from GitHub button", and then click the "Add CI job" button next to the intro-to-semgrep repo row.
  3. On the next page, click the "Commit file" button, then follow the instructions for setting up a GitHub Secret on the intro-to-semgrep repo.
    1. Note that we're adding the Secret to just this repo. If you want to run Semgrep across many of your or your org's repos, you probably want to add this Secret at your profile or org level, so you don't have to add it one repo at a time.
  4. A Semgrep scan will automatically start. We'll examine the results later, for now, comment on this PR and let's get writing some rules!

Comment on this Pull Request once you've finished onboarding Semgrep (semgrep.yml GitHub Action) to this repo.

luizfreche commented 3 years ago

.

github-learning-lab[bot] commented 3 years ago

Congrats on writing your first rule! πŸŽ‰

Holy moly, you:

...all in a few minutes 🀯

Automate the Boring Parts of Code Review

Are there comments you (or developers at your company) often write on PRs?

Wouldn't it be nice if you could automate that work and spend your time on higher leveraged things? I think you know where I'm going with this πŸ˜‰

Scaling to Thousands of Repos

Oh another thing - did you notice how easy it was to add new rules you write to your scanning policy, with one click from the Playground?

Well imagine you're scanning 100s or 1,000s of repos with Semgrep, and there's something new you'd like to enforce, whether it's a secure guardrail, a new anti-pattern you'd like to block, based on a recent penetration test report or bug bounty submission, etc.

So you quickly write the rule in the Playground, add it to one of your scanning policies, and then boom, that rule is immediately going to run on every new PR for repos using that policy.

No need to file PRs on hundreds of repos, no need to wait on developers or DevOps teams acting on your request, just quick security coverage, everywhere.

(Note: of course you want to roll out new rules carefully, to ensure they're high signal, don't bother our developer friends, etc.)

⌨️ Activity: Audit Routes

Time for the next rule writing challenge!

I've opened up a new PR with more code to match: click here to continue.

Visit the next PR to continue.