UNPKG

semgrep-s3-scanner

Version:

Run semgrep scans using rules stored in S3

116 lines (86 loc) 2.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Semgrep S3 Scanner A command-line utility that integrates with your projects to run semgrep scans using rules stored in S3. This tool is designed to be easily installed via npm and configured in your project's `package.json`. ## Installation ```bash npm install -g semgrep-s3-scanner ``` ## Prerequisites 1. Install semgrep: ```bash # For macOS brew install semgrep # For other platforms, see: https://semgrep.dev/docs/getting-started/installation/ ``` 2. Configure AWS credentials (for S3 access): ```bash export AWS_ACCESS_KEY_ID=your_access_key export AWS_SECRET_ACCESS_KEY=your_secret_key ``` ## Usage Basic usage: ```bash semgrep-s3-scanner scan ``` With options: ```bash semgrep-s3-scanner scan \ --bucket your-bucket-name \ --prefix rules/ \ --target ./src \ --output report.json \ --format json ``` ### Options - `-b, --bucket <bucket>`: S3 bucket name (default: 'semgrep-rules') - `-p, --prefix <prefix>`: Rules prefix in S3 (default: 'rules/') - `-t, --target <target>`: Target directory or file to scan (default: '.') - `-o, --output <output>`: Output file for the report (default: 'semgrep-report.json') - `-f, --format <format>`: Output format (json or sarif) (default: 'json') ## Integration with CI/CD Add to your CI pipeline: ```yaml steps: - name: Run Semgrep Scan run: | npm install -g semgrep-s3-scanner semgrep-s3-scanner scan --output scan-results.json ``` ## Development 1. Clone the repository 2. Install dependencies: ```bash npm install ``` 3. Build the project: ```bash npm run build ``` 4. Run tests: ```bash npm test ``` ## License MIT ## Command Line Options - `-d, --directory <path>`: Directory to scan (required) - `-b, --bucket <name>`: S3 bucket name (required, can be set via SEMGREP_S3_BUCKET env variable) - `-r, --rules-path <path>`: Path to rules in S3 bucket (default: 'rules/') - `-o, --output <path>`: Output path for the report (default: 'semgrep-report.md') ## S3 Rules Format The rules should be stored in your S3 bucket as a YAML file. Example: ```yaml rules: - id: example-rule pattern: $X = $Y message: "Found assignment" languages: [python] severity: WARNING ``` ## Output The tool generates two files: 1. `semgrep-results.json` - Raw semgrep results 2. `semgrep-report.md` - Human-readable markdown report ## Requirements - Node.js 14+ - AWS credentials configured - semgrep CLI installed