Merge branch 'sara/sidebar-v3.02/deployment' into develop

semgrep · Jan 23, 2024 · 74803e0 · 74803e0
2 parents c715168 + 700e78d
commit 74803e0
Show file tree

Hide file tree

Showing 16 changed files with 517 additions and 209 deletions.
diff --git a/docs/choose-oss-pro.md b/docs/choose-oss-pro.md
@@ -46,7 +46,7 @@ The following products are **free** for up to 10 contributors:
 
 The following tables describe Semgrep's essential scanning and findings management capabilities.
 
-### SAST (Static Application Security Testing)
+### SAST (Static application security testing)
 
 | Feature                                                                               | Semgrep OSS | Semgrep Pro |
 | ------------------------------------------------------------------------------------- | ----------- | ---------------------- |
@@ -139,7 +139,7 @@ The following table lists tools to enable developers to resolve their own code.
         </tr>
         <tr>
             <td>Publicly-contributed rules</td>
-            <td>Various; dependent on author</td>
+            <td>Dependent on author</td>
             <td>--</td>
         </tr>
     </tbody>

diff --git a/docs/deployment/add-semgrep-other-cicd.md b/docs/deployment/add-semgrep-other-cicd.md
@@ -0,0 +1,145 @@
+---
+slug: add-semgrep-to-other-ci-providers
+title: Add Semgrep to other CI providers
+hide_title: true
+description: "Set up your CI pipeline manually with Semgrep Cloud Platform for centralized rule and findings management."
+tags:
+  - Deployment
+---
+
+# Add Semgrep to other CI providers
+
+:::note Your deployment journey
+- You have [<i class="fa-regular fa-file-lines"></i> created a Semgrep account and organization](/deployment/create-account-and-orgs). 
+- For GitHub and GitLab users: You have [<i class="fa-regular fa-file-lines"></i> connected your source code manager](/deployment/connect-scm).
+- Optionally, you have [<i class="fa-regular fa-file-lines"></i> set up SSO](/deployment/sso).
+:::
+
+This guide walks you through creating a Semgrep job for CI providers that are **not** listed in Semgrep Cloud Platform (SCP). Skip this guide if you have already configured a CI job.
+
+This method is known to work with the following CI providers:
+
+* AppVeyor
+* Bamboo
+* Bitrise
+* Buildbot
+* Codeship
+* Codefresh
+* Drone CI
+* Nomad
+* TeamCity CI
+* Travis CI
+
+## General steps
+
+The general steps are:
+
+1. Create a `SEMGREP_APP_TOKEN`.
+1. Add this token as a credential, secret, or token into your CI provider and CI configuration file.
+1. For GitHub repositories: Grant permissions for [Semgrep Cloud Platform](https://github.com/marketplace/semgrep-dev).
+1. Create a CI job running Semgrep and commit the updated configuration file.
+1. The CI job starts automatically depending on your configuration and CI provider. If the job does not start, run the job by committing code or creating a pull request (PR) or merge request (MR).
+1. Semgrep detects the `SEMGREP_APP_TOKEN`, sends it to Semgrep Cloud Platform for verification, and if verified, findings are sent to Semgrep Cloud Platform.
+1. Define additional environment variables to enable other Semgrep Cloud Platform features. This is done last because it is easier to set up and troubleshoot CI jobs after ensuring that the CI job runs correctly.
+
+The next sections go over these steps in detail.
+
+### Create a SEMGREP_APP_TOKEN
+
+To create a `SEMGREP_APP_TOKEN`, follow these steps:
+
+1. Sign in to [Semgrep Cloud Platform](https://semgrep.dev/login).
+2. Click **[Settings](https://semgrep.dev/orgs/-/settings/tokens)** > **Tokens**.
+3. Click **Create new token**.
+4. Copy the name and value, then click **Update**.
+5. Store the token value into your CI provider. Tokens can also be referred to as `secrets`, `credentials`, or `secure variables`. The steps to do this vary depending on your CI provider.
+6. Add the `SEMGREP_APP_TOKEN` environment variable into your Semgrep CI job. Refer to your CI provider's documentation for the correct syntax. You can also see the examples in [Create a CI job](#creating-a-ci-job-running-semgrep).
+
+### GitHub repositories: Grant permissions for SCP
+
+:::tip
+Perform these steps before committing your CI job configuration to ensure that Semgrep Cloud Platform has the necessary permissions to scan your code.
+:::
+
+Follow these steps for GitHub permissions access:
+
+1. Go to the [Semgrep application](https://github.com/marketplace/semgrep-dev) within GitHub Marketplace.
+2. Click on **Install it for free**. Follow the instructions to begin the installation.
+2. Once `semgrep-app` is installed, select what repositories `semgrep-app` can access. Select **All repositories** or **Only select repositories**.
+![Screenshot of GitHub authorization page for Semgrep App](/img/semgrep-ci-github-access-repos.png "Screenshot of GitHub authorization page for Semgrep App")
+4. Click **Install & Authorize** to finalize your installation.
+
+### Create a Semgrep CI job
+
+1. Add Semgrep to your CI pipeline. Do either of the following:
+    1. Reference or add the [Semgrep Docker image](https://hub.docker.com/r/returntocorp/semgrep). This is the recommended method.
+    2. Add `pip install semgrep` into your configuration file as a step or command, depending on your CI provider's syntax.
+2. Add `semgrep ci` as a step or command.
+3. Set the `SEMGREP_APP_TOKEN` environment variable within your configuration file.
+
+The following example is a `bitbucket-pipelines.yml` file that adds Semgrep through the Docker image:
+
+<details><summary>Add Semgrep through the Docker image.</summary>
+
+```yaml
+image: atlassian/default-image:latest
+
+pipelines:
+  default:
+    - parallel:
+      - step:
+        name: 'Run Semgrep scan with current branch'
+        deployment: dev
+        # Reference the Semgrep Docker image:
+        image: returntocorp/semgrep
+        script:
+        # You need to set the token as an environment variable 
+        # (see Create a `SEMGREP_APP_TOKEN` section).
+          - export $SEMGREP_APP_TOKEN
+          # Run semgrep ci:
+          - semgrep ci
+```
+
+</details>
+
+The next example is a `Jenkinsfile` configuration that adds Semgrep by installing it:
+
+<details><summary>Add Semgrep by installing it.</summary>
+
+```javascript
+pipeline {
+  agent any
+  stages {
+    stage('Semgrep-Scan') {
+        environment { 
+          // You need to set the token as an environment variable 
+          // (see Create a `SEMGREP_APP_TOKEN` section).
+          SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN')
+        } 
+      steps {
+        // Install and run Semgrep:
+        sh 'pip3 install semgrep'
+        sh 'semgrep ci'
+      }
+    }
+  }
+}
+```
+
+</details>
+
+### Run the job
+
+Depending on your CI provider and configuration, the job runs automatically. Otherwise, trigger the job by committing code or opening a PR or MR.
+
+### Verify the connection
+
+To verify that your Semgrep CI job is connected to Semgrep Cloud Platform:
+
+1. Go to your Semgrep Cloud Platform [Projects page](https://semgrep.dev/orgs/-/projects).
+2. Verify that your repository is listed on the Projects page and that Semgrep Cloud Platform is running a scan.
+
+## Next steps
+
+- Set up PR or MR comments.
+- Optional: Learn about customizing your scans: tk link. These customizations can be done any time.
diff --git a/docs/deployment/add-semgrep-to-cicd.md b/docs/deployment/add-semgrep-to-cicd.md
@@ -2,14 +2,22 @@
 slug: add-semgrep-to-cicd
 title: Add Semgrep to CI/CD
 hide_title: true
-description: tk
+description: "Set up your CI pipeline with Semgrep Cloud Platform for centralized rule and findings management."
 tags:
   - Deployment
 ---
 
 import MoreHelp from "/src/components/MoreHelp"
 
-# Add Semgrep to CI/CD
+import PlatformAddRepo from "/src/components/procedure/_platform-add-repo.md"
+import PlatformDetectGhRepos from "/src/components/procedure/_platform-detect-ghrepos.md"
+import DiffAwareScanning from "/src/components/reference/_diff-aware-scanning.mdx"
+import CiScheduling from "/src/components/reference/_ci-scheduling.mdx"
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Add Semgrep to CI
 
 :::note Your deployment journey
 - You have [<i class="fa-regular fa-file-lines"></i> created a Semgrep account and organization](/deployment/create-account-and-orgs). 
@@ -18,3 +26,112 @@ import MoreHelp from "/src/components/MoreHelp"
 :::
 
 Semgrep is integrated into CI environments by creating a **job** (also known as an **action** for some CI providers) that is run by the CI provider. After a scan, findings are sent to Semgrep Cloud Platform for triage and remediation. 
+
+This guide walks you through creating a Semgrep job in the following **in-app CI providers**:
+
+- GitHub Actions
+- GitLab CI/CD
+- Jenkins
+- Bitbucket
+- CircleCI
+- Buildkite
+- Azure Pipelines
+
+If your provider is not on this list, you can still integrate Semgrep into your CI workflows by following the steps in [<i class="fa-regular fa-file-lines"></i> ] Add Semgrep to other CI providers tk link.
+
+## Projects
+
+Adding a Semgrep job to your CI provider also adds the repository's records, including findings, as a **project** in Semgrep Cloud Platform. Each Project can be individually configured to send notifications or tickets. 
+
+![Semgrep Cloud Platform Projects page](/img/projects-page.png)
+**Figure.** Semgrep Cloud Platform Projects page. This displays all the repositories you have successfully added a Semgrep job to.
+
+## Add Semgrep to CI through Semgrep Cloud Platform
+
+<Tabs
+    defaultValue="gha"
+    values={[
+    {label: 'GitHub Actions', value: 'gha'},
+    {label: 'Other in-app providers', value: 'other'},
+    ]}
+>
+
+<TabItem value='gha'>
+
+To add a CI job to GitHub Actions:
+
+1. Ensure you are signed in to Semgrep Cloud Platform.
+1. Click **[Projects](https://semgrep.dev/orgs/-/projects)** on the left sidebar.
+1. Click **Scan new project > CI/CD**.
+1. Click **GitHub Actions**.
+1. A list of repositories appears. Select all the repositories you want to add a Semgrep job to.
+1. If you do not see the repository you want to add, adjust [<i class="fas fa-external-link fa-xs"></i> GitHub Application's Repository Access](https://github.com/settings/installations) configuration. See [Detecting GitHub repositories](#detecting-github-repositories) for more information.
+1. Click **Add CI job**. You are taken to the Add CI job page.
+1. Optional: Click **Review CI config** to see Semgrep's default YAML configuration file. 
+1. Click **Commit file**.
+
+You have now added a Semgrep job to your CI provider. A scan begins automatically after adding a new repository. Its findings are sent to Semgrep Cloud Platform for triage and remediation.
+
+### Detecting GitHub repositories
+
+<PlatformDetectGhRepos />
+
+</TabItem>
+
+<TabItem value="other">
+
+<PlatformAddRepo />
+
+</TabItem>
+</Tabs>
+
+:::tip
+You can edit your configuration files to send findings to **GitHub Advanced Security Dashboard (GHAS)** and **GitLab SAST Dashboard**. Refer to the following samples:
+- [GitHub Advanced Security Dashboard](/semgrep-ci/sample-ci-configs/#github-actions)
+- [GitLab SAST Dashboard](/semgrep-ci/sample-ci-configs/#gitlab-cicd)
+:::
+
+### Sample CI configuration snippets
+
+Refer to the following table for links to sample CI configuration snippets:
+
+| In-app CI provider   | Sample CI configuration snippet |
+| :------------------- | :-----------------------------  |
+| GitHub Actions       |  [`semgrep.yml`](/semgrep-ci/sample-ci-configs/#github-actions) |
+| GitLab CI/CD         | [`.gitlab-ci.yml`](/semgrep-ci/sample-ci-configs/#gitlab-cicd) |
+| Jenkins              | [`Jenkinsfile`](/semgrep-ci/sample-ci-configs/#jenkins) |
+| Bitbucket Pipelines  | [`bitbucket-pipelines.yml`](/semgrep-ci/sample-ci-configs/#bitbucket-pipelines) |
+| CircleCI             | [`config.yml`](/semgrep-ci/sample-ci-configs/#circleci) |
+| Buildkite            | [`pipelines.yml`](/semgrep-ci/sample-ci-configs/#buildkite) |
+| Azure Pipelines      | [`azure-pipelines.yml`](/semgrep-ci/sample-ci-configs/#azure-pipelines) |
+
+## Next steps
+
+Set up PR comments
+
+<!-- After setting up PR comments:
+
+1. (If applicable) Configure SCA scans
+-> Core deployment is done at this point
+
+2. Enterprise stuff
+3. Other deployment environments
+4. Set up notifications, ticketing, API, Devex
+-->
+
+<!--  Outline of other docs
+
+1. This doc - steps through Semgrep Cloud Platform, including: 
+    - intro to diff-aware scanning,
+    - adding timeout
+    - setting a schedule
+    (For all CI providers listed in the app)
+2. GitHub actions branch protection
+3. Other CI providers (environment variables set up) -->
+
+<!-- Changes to existing
+
+https://semgrep.dev/docs/semgrep-ci/running-semgrep-ci-with-semgrep-cloud-platform/#compatibility-of-environment-variables
+-> maybe place these into sample CI configs? or separate thing entirely
+
+-->
diff --git a/docs/deployment/cli-scans.md b/docs/deployment/cli-scans.md
diff --git a/docs/deployment/configure-ci-jobs.md b/docs/deployment/configure-ci-jobs.md
@@ -0,0 +1,57 @@
+---
+slug: configure-ci-jobs 
+title: Configure CI jobs 
+hide_title: true
+description: tk
+tags:
+  - tk
+---
+
+import DiffAwareScanning from "/src/components/reference/_diff-aware-scanning.mdx"
+import CiScheduling from "/src/components/reference/_ci-scheduling.mdx"
+
+# Configure your CI job
+
+:::note Your deployment journey
+- You have [<i class="fa-regular fa-file-lines"></i> created a Semgrep account and organization](/deployment/create-account-and-orgs). 
+- For GitHub and GitLab users: You have [<i class="fa-regular fa-file-lines"></i> connected your source code manager](/deployment/connect-scm).
+- Optionally, you have [<i class="fa-regular fa-file-lines"></i> set up SSO](/deployment/sso).
+- You have successfully added a Semgrep job to your CI workflow.
+:::
+Configure a job's parameters to achieve the following goals: 
+
+* **Run Semgrep on a schedule**. Run full scans on mainline branches at the least intrusive time on developer teams.
+* **Run Semgrep with custom rules**. Apply rules specific to your organization's business goals and coding conventions.
+* **Run Semgrep when an event triggers**. Run Semgrep when a pull or merge request (PR or MR) is created. These event triggers or event hooks are dependent on your CI provider. 
+* **Run Semgrep on relevant files and blocks of code**. Configure Semgrep to ignore files and folders such as test files, configuration files, and files from other vendors.
+<!-- * **Configure a Semgrep CI job to pass even when any finding is detected**. By default, stand-alone configurations fail when any finding is detected. You can also configure Semgrep to pass CI jobs when findings are reported. -->
+* **Output, export, or save findings to a file**. Semgrep can save to a number of file formats, including SARIF and JSON.
+
+## Set up diff-aware scans
+
+:::info
+This section only applies to the following CI providers:
+- Azure Pipelines
+- Jenkins
+- CI providers not listed in Semgrep Cloud Platform
+:::
+
+<DiffAwareScanning />
+
+To configure a diff-aware scan:
+
+1. Create a separate CI job following the steps in [Add Semgrep to CI through Semgrep Cloud Platform](#add-semgrep-to-ci-through-semgrep-cloud-platform).
+1. Set the `SEMGREP_BASELINE_REF` variable in your CI configuration file. The value of this environment variable is typically your trunk branch, such as `main` or `master`.
+
+## Set a scan schedule
+
+<CiScheduling />
+
+## Set a custom timeout
+
+By default, Semgrep times out after 30 minutes. To **set a custom timeout** for the Semgrep job, set the `SEMGREP_TIMEOUT` environment variable in seconds. For example:
+
+```sh
+SEMGREP_TIMEOUT="300"
+```
+
diff --git a/docs/deployment/connect-scm.md b/docs/deployment/connect-scm.md
@@ -27,7 +27,7 @@ You can only connect your Semgrep organization to the source code manager that y
 The process to connect a source code manager depends on whether your SCM tool is cloud-hosted by the service provider, hosted on-premise, or hosted as a single-tenant by the service provider.
 
 :::note Review necessary permissions 
-Refer to the [<i class="fa-regular fa-file-lines"></i> Pre-deployment checklist](/deployment/deployment-checklist) to ensure you have permissions necessary to perform these steps.
+Refer to the [<i class="fa-regular fa-file-lines"></i> Pre-deployment checklist](/deployment/checklist/) to ensure you have permissions necessary to perform these steps.
 :::
 
 ## Connect to cloud-hosted orgs
@@ -55,7 +55,7 @@ You have successfully connected an org in Semgrep Cloud Platform with an organiz
 
 ### Table of required scopes for PATs
 
-Semgrep Cloud Platform requires PATs with assigned scopes. These scopes grant necessary permissions to the PAT and vary depending on the user's plan.
+Semgrep Cloud Platform requires personal access tokens (PATs) with assigned scopes. These scopes grant necessary permissions to the PAT and vary depending on the user's plan.
 
 | GitHub Enterprise Server          | GitLab Self-Managed        |
 |:---------------------------|:---------------------------|

diff --git a/docs/deployment/core-deployment.md b/docs/deployment/core-deployment.md
@@ -91,7 +91,6 @@ Semgrep supports many different technology stacks. Refer to the following table
     </tbody>
 </table>
 
-
 ## Core deployment process
 
 At the minimum, your deployment of Semgrep consists of the following steps: