smithy-security · ptzianos · Mar 11, 2025 · Feb 22, 2025 · Feb 22, 2025 · Mar 8, 2025
diff --git a/examples/dast-project/kustomization.yaml b/examples/dast-project/kustomization.yaml
diff --git a/examples/dast-project/pipelinerun.yaml b/examples/dast-project/pipelinerun.yaml
diff --git a/examples/semgrep/overrides.yaml.example b/examples/semgrep/overrides.yaml.example
@@ -0,0 +1,4 @@
+git-clone:
+- name: "repo_url"
+  type: "string"
+  value: "https://github.com/0c34/govwa.git"
diff --git a/examples/semgrep/workflow.yaml b/examples/semgrep/workflow.yaml
@@ -0,0 +1,7 @@
+description: GoSec based workflow
+name: gosec
+components:
+- component: file://new-components/targets/git-clone/component.yaml
+- component: file://new-components/scanners/semgrep/component.yaml
+- component: file://new-components/enrichers/custom-annotation/component.yaml
+- component: file://new-components/reporters/json-logger/component.yaml
diff --git a/new-components/scanners/semgrep/README.md b/new-components/scanners/semgrep/README.md
@@ -0,0 +1,17 @@
+# semgrep
+
+This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that parses [sarif](https://sarifweb.azurewebsites.net/) reports output
+by [semgrep](https://github.com/semgrep/semgrep) into [ocsf](https://github.com/ocsf) format.
+
+## Parser Environment variables
+
+The component uses environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well
+as the following:
+
+| Environment Variable     | Type   | Required | Default    | Description                                             |
+|--------------------------|--------|----------|------------|---------------------------------------------------------|
+| SEMGREP\_RAW\_OUT\_FILE\_PATH  | string | yes      | -          | The path where to find the semgrep sarif report   |
diff --git a/new-components/scanners/semgrep/cmd/main.go b/new-components/scanners/semgrep/cmd/main.go
@@ -0,0 +1,37 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/sdk/component"
+
+	"github.com/smithy-security/smithy/new-components/scanners/semgrep/internal/transformer"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("semgrep"))
+
+	ocsfTransformer, err := transformer.New()
+	if err != nil {
+		return errors.Errorf("could not create transformer: %w", err)
+	}
+
+	if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil {
+		return errors.Errorf("could not run scanner: %w", err)
+	}
+
+	return nil
+}
diff --git a/new-components/scanners/semgrep/component.yaml b/new-components/scanners/semgrep/component.yaml
@@ -0,0 +1,21 @@
+name: semgrep
+description: "Runs Semgrep then parses findings into the OCSF format"
+type: scanner
+steps:
+  - name: run-semgrep
+    image: docker.io/returntocorp/semgrep:1.80
+    executable: /usr/local/bin/semgrep
+    args:
+    - scan
+    - --metrics=off
+    - --config
+    - p/default
+    - --sarif
+    - --sarif-output
+    - /workspace/repos/semgrep-out.sarif.json
+    - /workspace/repos/
+  - name: parser
+    image: new-components/scanners/semgrep
+    env_vars:
+      SEMGREP_RAW_OUT_FILE_PATH: /workspace/repos/semgrep-out.sarif.json
+    executable: /bin/app
diff --git a/new-components/scanners/semgrep/go.mod b/new-components/scanners/semgrep/go.mod
@@ -0,0 +1,66 @@
+module github.com/smithy-security/smithy/new-components/scanners/semgrep
+
+go 1.23.3
+
+require (
+	github.com/go-errors/errors v1.5.1
+	github.com/jonboulle/clockwork v0.5.0
+	github.com/smithy-security/pkg/env v0.0.1
+	github.com/smithy-security/pkg/sarif v0.0.2-0.20250222165940-29e961d68678
+	github.com/smithy-security/smithy/sdk v0.0.4-alpha
+	github.com/stretchr/testify v1.10.0
+	google.golang.org/protobuf v1.36.5
+)
+
+require (
+	ariga.io/atlas v0.29.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/abice/go-enum v0.6.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-openapi/inflect v0.19.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.18.1 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.6.0 // indirect
+	github.com/labstack/gommon v0.4.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/package-url/packageurl-go v0.1.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/sqlc-dev/sqlc v1.27.0 // indirect
+	github.com/urfave/cli/v2 v2.26.0 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)