-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMakefile
More file actions
44 lines (33 loc) · 2.29 KB
/
Makefile
File metadata and controls
44 lines (33 loc) · 2.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
.PHONY: semgrep-base semgrep remove-base
.DEFAULT_GOAL := semgrep
BASE_FILE = ./outs/semgrep-base-result.json
NEW_RESULT_FILE = ./outs/semgrep-result.json
SEMGREP_RULES = $(abspath "../semgrep-rules")
JQ_PARSING = jq .results | jq ' [.[] | {keyId: .check_id, finding: .extra.lines, reason: .extra.message, path: .path, line: .start.line, severity: .extra.severity}]'
SEMGREP_CONFIG = -j 6 --metrics=off --config "p/default" --config "p/typescript" --config "p/javascript" --config "p/xss" --config "p/command-injection" --config "p/phpcs-security-audit" --config "p/ci" --config "p/r2c" --config "p/r2c-bug-scan" --config "p/r2c-ci" --config "p/owasp-top-ten" --config "p/cwe-top-25" --config "p/r2c-security-audit" --config "p/secrets" --config "p/sql-injection" --config "p/command-injection" --config $(SEMGREP_RULES)
SEMGREP_EXCLUSION = --exclude app/tests --exclude app/views/newsletters --exclude app/database --exclude app/models --exclude app/start --exclude bootstrap --exclude gulpfile.js --exclude public --exclude resources/fixtures --exclude resources/scripts --exclude resources/scss --exclude resources/components/commons/scripts/base/bootstrapBundle.js --exclude server.php --exclude artisan --exclude composer.lock --exclude security
SEMGREP_COMMAND = semgrep scan $(SEMGREP_CONFIG) $(SEMGREP_EXCLUSION) --legacy --error --json | $(JQ_PARSING)
basecheck:
ifneq ($(shell test -e $(SEMGREP_RULES) && echo -n yes),yes)
git clone https://github.com/dicoding-dev/semgrep-rules $(SEMGREP_RULES);
endif
@echo "\033[0;31m=== Memperbarui semgrep rules ===\033[0m"
@cd $(SEMGREP_RULES) && git pull
semgrep-base: basecheck
ifneq ($(shell test -e $(BASE_FILE) && echo -n yes),yes)
@echo "\033[0;31m=== Menjalankan semgrep tahap awal ===\033[0m"
$(SEMGREP_COMMAND) > $(BASE_FILE)
else
@echo "\033[0;31m=== Base sudah ada ===\033[0m"
endif
semgrep: semgrep-base
@echo "\033[0;31m=== Menjalankan semgrep pada perubahan terbaru ===\033[0m"
$(SEMGREP_COMMAND) > $(NEW_RESULT_FILE)
@echo "\033[0;31m=== Melakukan Komparasi. ===\033[0m"
@docker run --rm -v ${PWD}:/app php:8.3-alpine php /app/security/scripts/semgrep-result-compare.php
remove-base:
ifeq ($(shell test -e $(BASE_FILE) && echo -n yes),yes)
rm $(BASE_FILE)
endif
semgrep-test:
docker run --rm -v "${PWD}:/src" ${SEMGREP_CMD} semgrep --test security/semgrep