rhpco / intro-to-semgrep

https://lab.github.com/returntocorp/intro-to-semgrep
MIT License
0 stars 0 forks source link

Useful Semgrep Links #2

Open github-learning-lab[bot] opened 3 years ago

github-learning-lab[bot] commented 3 years ago

This issue collects various links to useful Semgrep resources and documentation in one place so you can reference it if you ever get stuck.

Rule Writing

There's a step by step rule writing tutorial here.

If you go to the Playground, you can also click the "Examples" button to view a number of illustrative built-in examples.

And of course, you can also review the over 1,000 rules in @returntocorp/semgrep-rules.

Docs

Semgrep has pretty extensive docs, which you can view here.

Of note:

Community

Feel free to join the r2c community Slack to ask questions (we're super responsive!) or reach out to us on Twitter (@r2cdev), or send us an email at support@r2c.dev.

rhpco commented 3 years ago

good!

github-learning-lab[bot] commented 3 years ago

Getting Started

Alright, first we'll do a few quick things to get you up and running.

At a high level, here's what we're going to do:

Join the r2c Community Slack - There's a channel for this workshop you can ask questions in, and we'll use it to set up notifications when Semgrep finds issues.

Create a free Semgrep App account - This lets us easily manage Semgrep in CI, set up notifications, configure scanning policy, view results over time, and more.

⌨️ Activity: Create a Dashboard Account, Set up Slack Notifications

  1. Join the r2c community Slack and the #workshop-2021-owasp-devslop channel.
  2. Log in to the Semgrep Dashboard.
  3. Set up Slack Notifications.
    1. Go to the Incoming WebHooks page on the Slack App Directory, and in "Post to Channel" choose your name. This way, all notifications are going to be sent to you via direct message.
    2. Copy the "Webhook URL" generated on the next page (it should look like: https://hooks.slack.com/services/...) and go to the Semgrep Integrations page (you may need to click on "Integrations" in the left hand side navbar), create a new integration, select "Slack", provide a name, paste in the webhook url, then save it.
    3. Click the "Test" button, and you should see a message from Semgrep in Slack.
  4. Now, on the Semgrep Policies page, click on each policy, go to Settings -> Integrations -> Add, select the Slack notification you set up, and click "Save".

Comment on this pull request when you're ready and I'll respond with the next step.

rhpco commented 3 years ago

good

github-learning-lab[bot] commented 3 years ago

Great! Now we're going to set up Semgrep scanning every PR via GitHub actions by creating a semgrep.yml.

Though we're going to be using GitHub Actions in this workshop, because Semgrep is nice and portable, easily runnable as a standalone binary or Docker, it's pretty easy to set up Semgrep in pretty much any CI platform under the sun.

See these docs for info about setting up Semgrep in GitLab, Buildkit, CircleCI, or other providers, and see here for more info about Semgrep in CI.

⌨️ Activity: Set up Semgrep in CI

  1. On the Projects page, select the "Add CI job to GitHub project" option, and click the "Get started" button.
    1. Semgrep's GitHub App is going to ask for a few, minimal permissions so it can auto-set things up for you (create a PR adding semgrep.yml to repos you want to onboard, etc.).
    2. If you want, you can only add the Semgrep GitHub App to this intro-to-semgrep repo. If you want to add more repos, you select "All repositories" or hand select a few more. You can always update this later via your GitHub profile Installed Applications settings.
  2. After you've authorized the Semgrep GitHub App, navigate back to the Projects page, click the "Refresh projects from GitHub button", and then click the "Add CI job" button next to the intro-to-semgrep repo row.
  3. On the next page, click the "Commit file" button, then follow the instructions for setting up a GitHub Secret on the intro-to-semgrep repo.
    1. Note that we're adding the Secret to just this repo. If you want to run Semgrep across many of your or your org's repos, you probably want to add this Secret at your profile or org level, so you don't have to add it one repo at a time.
  4. A Semgrep scan will automatically start. We'll examine the results later, for now, comment on this PR and let's get writing some rules!

Comment on this Pull Request once you've finished onboarding Semgrep (semgrep.yml GitHub Action) to this repo.