Blog: Add article about SAST scanning using semgrep#150
Conversation
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
blog/2021-10-27-sast-scanning.md
Outdated
| key: token | ||
| ``` | ||
|
|
||
| If you load this cascading rule and start the git-repo-scanner scan we defined above, it automatically starts scans for all detected (public) repositories (make sure the [git-repo-scanner][gitreposcanner] and [semgrep][semgrep-scb] scantypes as well as the [CascadingScans hook][cascadingscans] are installed). |
There was a problem hiding this comment.
Why public? Above I saw some Git token.
There was a problem hiding this comment.
Maybe you should outline more prominent at the beginning that this example operates on public GitHub repos. First I thought this is a generic example where I have to fill in the gaps with my git server URI.
There was a problem hiding this comment.
The idea was to also showcase the filtering possibilities of cascading scan jobs (it is explained in greater detail the first time the cascading scan job is discussed). I have made some changes with the last commit, let me know if you like it like this, or if you would prefer if I completely remove the filtering examples.
Co-authored-by: Sven Strittmatter <sven.strittmatter@iteratec.com> Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
6d7954d to
027e189
Compare
|
Seems like there was an issue with the release of the docker images for the semgrep parser, so maybe we should hold off on publishing this until that is resolved (see secureCodeBox/secureCodeBox#784). |
|
IMHO the release issue is not a big deal. |
I opted to present the new features as part of a larger narrative about how you can use secureCodeBox to run one-off analyses your codebase, using the UA-parser.js backdoor as a motivating example (which makes for a more compelling story than saying "secureCodeBox: Like SAST in your CI, but worse!" 😁).
Looking forward to your feedback.