feat: configurable Semgrep Registry base URL (d9c20417) · Commits · to be continuous... / Node.js

README.md

+1 −0

Original line number	Diff line number	Diff line
		@@ -363,6 +363,7 @@ It is bound to the `test` stage, and uses the following variables:
		\| `semgrep-image` / `NODE_SEMGREP_IMAGE` \| The Docker image used to run [Semgrep](https://semgrep.dev/docs/) \| `registry.hub.docker.com/semgrep/semgrep:latest` \|
		\| `semgrep-args` / `NODE_SEMGREP_ARGS` \| Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) \| `--metrics off --disable-version-check --no-suppress-errors` \|
		\| `semgrep-rules` / `NODE_SEMGREP_RULES` \| Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). \| `p/javascript p/eslint p/gitlab-eslint` \|
		\| `semgrep-registry-base-url` / `NODE_SEMGREP_REGISTRY_BASE_URL` \| The Semgrep Registry base URL that is used to download the rules. No trailing slash. \| `https://semgrep.dev/c` \|
		\| `semgrep-download-rules-enabled` / `NODE_SEMGREP_DOWNLOAD_RULES_ENABLED` \| Download Semgrep remote rules \| `true` \|

		> :information_source: Semgrep may [collect some metrics](https://semgrep.dev/docs/metrics), especially when using rules from the Semgrep Registry.

+5 −0

Original line number	Diff line number	Diff line
		@@ -128,6 +128,11 @@
		"description": "Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).\n\nCan be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).",
		"default": "p/javascript p/eslint p/gitlab-eslint"
		},
		{
		"name": "NODE_SEMGREP_REGISTRY_BASE_URL",
		"description": "The Semgrep Registry base URL that is used to download the rules. No trailing slash.",
		"default": "https://semgrep.dev/c"
		},
		{
		"name": "NODE_SEMGREP_DOWNLOAD_RULES_ENABLED",
		"description": "Download Semgrep remote rules",

+8 −2

Original line number	Diff line number	Diff line
		@@ -84,6 +84,10 @@ spec:

		Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix).
		default: p/javascript p/eslint p/gitlab-eslint
		semgrep-registry-base-url:
		description: \|-
		The Semgrep Registry base URL that is used to download the rules. No trailing slash.
		default: https://semgrep.dev/c
		semgrep-download-rules-enabled:
		description: Download Semgrep remote rules
		type: boolean
		@@ -186,6 +190,7 @@ variables:
		NODE_SEMGREP_DISABLED: $[[ inputs.semgrep-disabled ]]
		NODE_SEMGREP_ARGS: $[[ inputs.semgrep-args ]]
		NODE_SEMGREP_RULES: $[[ inputs.semgrep-rules ]]
		NODE_SEMGREP_REGISTRY_BASE_URL: $[[ inputs.semgrep-registry-base-url ]]
		NODE_SEMGREP_DOWNLOAD_RULES_ENABLED: $[[ inputs.semgrep-download-rules-enabled ]]
		# Outdated
		NODE_OUTDATED_DISABLED: $[[ inputs.outdated-disabled ]]
		@@ -580,9 +585,10 @@ stages:
		log_info "... rule file $rule found: skip"
		SEMGREP_RULES="${SEMGREP_RULES} $rule"
		else
		log_info "... rule file $rule not found: download (https://semgrep.dev/c/$rule)"
		rule_url="${NODE_SEMGREP_REGISTRY_BASE_URL}/$rule"
		log_info "... rule file $rule not found: downloading from $DOWNLOAD_URL"
		dest_file="semgrep-${rule/p\//}.yml"
		wget "https://semgrep.dev/c/$rule" -O "$dest_file"
		wget "$rule_url" -O "$dest_file"
		SEMGREP_RULES="${SEMGREP_RULES} $dest_file"
		fi
		done