chore: adds semgrep pre-commit and CI action (#51)

* chore: adds semgrep pre-commit and CI action

Signed-off-by: Jennifer Power <[email protected]>

* chore: run pre-commit install in CI step

Signed-off-by: Jennifer Power <[email protected]>

---------

Signed-off-by: Jennifer Power <[email protected]>

.github/workflows/ci.yml

@@ -4,7 +4,8 @@ name: CI
 on:
   push:
   pull_request:
-    branches: main
+    branches: 
+    - main
 
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
@@ -36,11 +37,14 @@ jobs:
 
       - name: Set up poetry and install
         uses: ./.github/actions/setup-poetry
+
+      - name: Pre-commit install
+        run: make pre-commit
 
-      - name: Run checks
+      - name: Run linting checks
         run: make lint
 
-      - name: Run bandit
+      - name: Run security checks
         run: make security-check
 
       - name: Check dependencies

.github/workflows/codecov.yml

@@ -3,7 +3,8 @@ name: Code Coverage Check
 
 on:
   pull_request:
-    branches: main
+    branches: 
+    - main
 
 jobs:
   test:

.pre-commit-config.yaml

@@ -0,0 +1,13 @@
+repos:
+  - repo: https://github.com/returntocorp/semgrep
+    rev: v1.42.0
+    hooks:
+      - id: semgrep
+        name: Semgrep Python
+        types: [python]
+        args: ["--config", "p/python", "--error", --metrics=off]
+      - id: semgrep
+        name: Semgrep Bandit
+        types: [python]
+        exclude: "^tests/.+$"
+        args: ["--config", "p/bandit", "--error", --metrics=off]

Makefile

@@ -4,11 +4,14 @@ TESTS := tests
 all: develop lint test
 .PHONY: all
 
-develop:
+develop: pre-commit
 	@poetry install	
 	@poetry shell
 .PHONY: develop
 
+pre-commit:
+	@poetry run pre-commit install
+
 lint:
 	@poetry lock --check
 	@poetry run isort --profile=black --lines-after-imports=2 \
@@ -38,7 +41,7 @@ dep-cve-check:
 .PHONY: dep-cve-check
 
 security-check:
-	@poetry run bandit -r $(PYMODULE)
+	@poetry run pre-commit run semgrep --all-files
 .PHONY: security-check
 
 build: clean-build