feat: SECOPS-2525 - add semgrep job (#438)

## Motivation / Implements This PR adds or updates the necessary configuration to enable [Semgrep](https://semgrep.dev/docs/semgrep-code/overview/) to run on PRs on this repo. The Apollo Security team uses Semgrep to test our source for potential security vulnerabilities. Once this is accepted and merged, the Security team plans to make a passing Semgrep check a requirement for PRs to merge into this repo. This will prevent net-new severe issues from being introduced. The job proposed by this PR runs in a diff-aware mode, so it will only alert if net-new issues are introduced in a branch. In the event that a severe issue _is_ detected on a PR, the CI job will add a comment to the PR associated with the detection to provide instructions on how to properly resolve the detection. The comment added to PRs will also include instructions on how to get further support if needed. If maintainers reviewing this PR have questions, please reach out in the `#security` channel in Slack or contact Matt Peake directly at `matt[.]peake@apollographql[.]com`. ## Changed - Updated `.circleci/config.yml` to include appropriate configuration to enable Semgrep as a CI check. These changes were programmatically generated, so YAML formatting may have been modified to conform to the YAML spec. - Updated SecOps orb to latest version --------- Co-authored-by: Matt Peake <[email protected]> Co-authored-by: Iryna Shestak <[email protected]>
apollographql · Jan 16, 2024 · fe9b17c · fe9b17c
1 parent 803f3a1
commit fe9b17c
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -4,7 +4,7 @@ version: 2.1
 orbs:
   rust: circleci/[email protected]
   gh: circleci/[email protected]
-  secops: apollo/[email protected].1
+  secops: apollo/[email protected].6
 
 # These filters are used to determine which package to release
 any_release: &any_release
@@ -105,7 +105,7 @@ workflows:
             - "Run cargo tests (stable rust on amd_macos)"
             - "Run cargo tests (stable rust on amd_windows)"
           <<: *crate_release
-  
+
   security-scans:
     jobs:
       - secops/gitleaks:
@@ -116,6 +116,11 @@ workflows:
           git-base-revision: <<#pipeline.git.base_revision>><<pipeline.git.base_revision>><</pipeline.git.base_revision >>
           git-revision: << pipeline.git.revision >>
 
+      - secops/semgrep:
+          context:
+            - secops-oidc
+            - github-orb
+          git-base-revision: <<#pipeline.git.base_revision>><<pipeline.git.base_revision>><</pipeline.git.base_revision >>
 jobs:
   xtask:
     parameters:
@@ -461,4 +466,4 @@ commands:
                   If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.
 
                   Binaries built for MacOS are signed, notarized, and automatically verified with [Gatekeeper](https://support.apple.com/guide/deployment-reference-macos/using-gatekeeper-apd02b925e38/web).' \
-                  artifacts/*
+                  artifacts/*