Skip to content
This repository was archived by the owner on Oct 28, 2025. It is now read-only.

Add sca logic to semgrep_scan(_local)#58

Open
jaksiks wants to merge 6 commits intomainfrom
seth/sca-scans
Open

Add sca logic to semgrep_scan(_local)#58
jaksiks wants to merge 6 commits intomainfrom
seth/sca-scans

Conversation

@jaksiks
Copy link
Collaborator

@jaksiks jaksiks commented Jul 8, 2025

Add support for supply-chain and secrets scanning

This PR updates the semgrep scan functionality to support different scan types:

  • Changes the scan command from scan to ci with --dry-run
  • Adds a new scan_type parameter with three options:
    • code: Standard code scanning (default)
    • supply-chain: For scanning dependencies and CI/CD configurations
    • secrets: For detecting secrets in code
  • Adds validation to ensure API token is present for supply-chain and secrets scans
  • Updates the command arguments to use --include instead of positional arguments

@jaksiks jaksiks self-assigned this Jul 8, 2025
Copy link
Collaborator Author

jaksiks commented Jul 8, 2025

This stack of pull requests is managed by Graphite. Learn more about stacking.

@jaksiks jaksiks marked this pull request as ready for review July 8, 2025 17:52
@flaper87 flaper87 changed the title sca scan logic Add sca logic to semgrep_scan(_local) Jul 10, 2025
@flaper87 flaper87 enabled auto-merge July 10, 2025 19:01
if config:
args.extend(["--config", config])
args.append(temp_dir)
args = ["ci", "--json", "--dry-run"] # avoid the extra exec
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you share why ci is preferred here over scan?

Also, why is --dry-run needed?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, you can't run a supply chain scan with scan, so we have to use ci in this case. We add --dry-run in so that the scan completes and reports findings locally in a json blob, but does not upload the findings to the cloud platform.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A-ha, I see! Thanks. All clear.

The --dry-run name is a bit confusing, but it makes sense 🤣

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants