feat: SECOPS-2525 - add semgrep job #3312
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation / Implements
This PR adds or updates the necessary configuration to enable Semgrep to run on PRs on this repo. The Apollo Security team uses Semgrep to test our source for potential security vulnerabilities.
Once this is accepted and merged, the Security team plans to make a passing Semgrep check a requirement for PRs to merge into this repo. This will prevent net-new severe issues from being introduced. The job proposed by this PR runs in a diff-aware mode, so it will only run Semgrep on the files that have changed in a given PR.
In the event that a severe issue is detected on a PR, the CI job will add a comment to the PR associated with the detection to provide instructions on how to properly resolve the detection. The comment added to PRs will also include instructions on how to get further support if needed.
If maintainers reviewing this PR have questions, please reach out in the
#security
channel in Slack or contact Matt Peake directly atmatt[.]peake@apollographql[.]com
.Existing Findings
Semgrep does not currently detect any severe issues in this repo.
Changed
.circleci/config.yml
to include appropriate configuration to enable Semgrep as a CI check. These changes were programmatically generated, so YAML formatting may have been modified to conform to the YAML spec.