Add semgrep as new scanner for static analysis #595
Description
🚓 New Scanner implementation request
Is your feature request related to a problem
As a secureCodeBox user I would like to use semgrep for static application security testing.
Describe the solution you'd like
Integrate semgrep as a SAST scanner. Provide how-tos and parser.
Describe alternatives you've considered
Additional context
- https://github.com/returntocorp/semgrep
- https://owasp.org/www-chapter-newcastle-uk/presentations/2021-02-23-semgrep.pdf
Steps to implement a new scanner
Hint: A general guide how to implement a new SCB scanner is documented here
- Create a new folder with the name of the scanner here
- Add a
README.gotmpland give a brief overview of the scanner and its configuration options. - Add a HelmChart and document all configuration options.
- Implement a new scanner specific
scan-type.yaml - Implement a new scanner specific
parse-definition.yaml - Add (optional) some
cascading-rules.yamllike documented here - Add (optional) a
Dockerfilefor the scanner if there is no existing one publicly available on dockerHub - Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
- Add unit tests with at minimum 80% test coverage
- Add some example
scan.yamlandfinding.yamlfiles in the example folder - Implement a new integration or E2E test for the hook here