ci(global): introduce semgrep code scan (#23)

* ci(global): introduce semgrep code scan

* ci(global): fix semgrep util

* ci(global): allow semgrep metrics

* ci(global): add artifacts

* ci(global): try CI instead of scan

* ci(global): test file

* ci(global): finalize

* ci(global): analyzed semgrep findings

* ci(global): add bash shebang

* ci(global): remove redundant node versioning for LTS

* ci(global): remove redundant node versioning for LTS

Author: SavelevMatthew

.github/workflows/nodejs.packages.ci.yml

@@ -8,49 +8,37 @@ on:
 
 jobs:
   lint:
-    name: Lint the code
+    name: Lint code
 
     runs-on: ubuntu-22.04
 
-    strategy:
-      matrix:
-        node-version: [ 22.x ]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/releases
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Node.js environment
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
           cache: 'yarn'
 
       - name: Install dependencies
         run: yarn --immutable
 
-      - name: Lint the code
+      - name: Lint source code
         run: yarn lint
 
   audit:
-    name: Audit the code
+    name: Audit dependencies
 
     runs-on: ubuntu-22.04
 
-    strategy:
-      matrix:
-        node-version: [ 22.x ]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/releases
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Node.js environment
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
           cache: 'yarn'
 
       - name: Install dependencies
@@ -59,6 +47,25 @@ jobs:
       - name: Run dependencies audit
         run: yarn npm audit --all
 
+  semgrep:
+    name: Audit source code
+
+    runs-on: ubuntu-22.04
+
+    container:
+      image: semgrep/semgrep
+
+    if: (github.actor != 'dependabot[bot]')
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run semgrep scan
+        run: ./bin/run-semgrep.sh
 
   build:
     name: Build and Test packages
@@ -83,7 +90,7 @@ jobs:
       - name: Install dependencies
         run: yarn --immutable
 
-      - name: Build the repo
+      - name: Build repo
         run: yarn build
 
       - name: Run tests

bin/run-semgrep.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+export SEMGREP_RULES="
+p/default
+p/javascript
+p/typescript
+p/nodejs
+p/comment
+p/cwe-top-25
+p/r2c-security-audit
+p/owasp-top-ten
+p/gitleaks
+p/secrets
+"
+
+semgrep scan --error --metrics off

packages/configs/rollup.js

@@ -71,6 +71,8 @@ function typePipe(input, output, opts = {}) {
                 entries: [
                     {
                         find: '@',
+                        // NOTE: Part of logic
+                        // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
                         replacement: path.resolve('./dist/dts', opts.typesDir || '.'),
                     },
                 ],

packages/git/src/utils/tags.ts

@@ -81,6 +81,8 @@ export function getTagRegex(packageNames: ReadonlyArray<string>, tagFormat = DEF
         }
     })
 
+    // NOTE: Regexp is escaped, so its not possible to create ReDOS
+    // nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
     return new RegExp(`^${escapedParts.join('')}$`)
 }
 

packages/mono-pub/src/utils/deps.spec.ts

@@ -9,7 +9,9 @@ import type { DirResult } from 'tmp'
 import type { BasePackageInfo, LatestPackagesReleases, PackageVersion } from '@/types'
 
 function writePackageJson(obj: Record<string, unknown>, packagePath: string, cwd: string) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     fs.mkdirSync(path.join(cwd, packagePath), { recursive: true })
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     fs.writeFileSync(path.join(cwd, packagePath, 'package.json'), JSON.stringify(obj, null, 2))
 }
 

packages/mono-pub/src/utils/path.ts

@@ -29,6 +29,8 @@ export async function getAllPackages(paths: Array<string>, cwd: string): Promise
             fileNames.push(match.fullpath())
         } else if (match.isDirectory()) {
             const fullPath = match.fullpath()
+            // NOTE: Repo traversal is a part of package logic
+            // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
             const pkgPath = path.join(fullPath, 'package.json')
             if (fs.existsSync(pkgPath)) {
                 fileNames.push(pkgPath)