add semgrep action

Author: witmicko

.github/workflows/reusable-semgrep.yml

@@ -0,0 +1,49 @@
+name: 'Reusable Semgrep Analysis'
+
+on:
+  workflow_call:
+    inputs:
+      repo:
+        description: 'Repository that requested the scan'
+        required: true
+        type: string
+      paths_ignored:
+        description: 'Comma delimited paths to ignore during scan'
+        required: false
+        type: string
+        default: ''
+    outputs:
+      sarif-id:
+        description: 'SARIF file identifier'
+        value: ${{ jobs.semgrep-analysis.outputs.sarif-id }}
+
+jobs:
+  semgrep-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    outputs:
+      sarif-id: ${{ steps.upload.outputs.sarif-id }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ inputs.repo }}
+          path: ${{ inputs.repo }}
+
+      - name: Call Security Code Scanner Semgrep Action
+        id: semgrep-scan
+        uses: ./packages/semgrep-action
+        with:
+          paths_ignored: ${{ inputs.paths_ignored }}
+
+      - name: Upload SARIF
+        id: upload
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep-results.sarif
+          category: semgrep

packages/semgrep-action/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @witmicko

packages/semgrep-action/CONTRIBUTING.md

@@ -0,0 +1,111 @@
+# Contributing to Security Code Scanner Semgrep Rules
+
+This guide is intended to help guide you though the process of adding a new Semgrep rule that this action will run.
+
+## Prerequisites
+
+Before contributing, ensure that you have [Semgrep](https://semgrep.dev/) installed. You can find installation instructions [here](https://semgrep.dev/docs/getting-started/quickstart).
+
+## Writing Your Own Rules
+
+When adding a new rule follow these guidelines:
+
+1. **Start with a Template**
+   - Use the `rule.template.yml` file located in the root of this repository as a starting point. It includes standard fields and formatting we expect in all rules.
+   - To create a new rule, copy the template and place it in the appropriate folder:
+     ```bash
+     cp rule.template.yml rules/src/ < language > / < your-rule-name > .yml
+     ```
+
+2. **Organize Rule Files**
+   - Rules should be placed in the `rules/src` directory, organized by language or context. For example:
+     ```
+     rules/src/js/your-js-rule.yml
+     ```
+   - The rule name (defined in the `id` field) must match the filename, excluding the `.yml` extension. For example:
+     - Rule filename: `your-js-rule.yml`
+     - Rule ID: `your-js-rule`
+
+3. **Write and Iterate on the Rule**
+   - Use the [Semgrep Playground](https://semgrep.dev/playground/new) to draft and refine your rule. If you've never written a Semgrep rule before, I recommend working through [Semgrep's interactive tutorial](https://semgrep.dev/learn). If you want to jump right in, check out Semgrep's [rule writing docs](https://semgrep.dev/docs/writing-rules/overview).
+
+4. **Add Test Files**
+   - Write tests for your rule in the `rules/test` directory, mirroring the structure of `rules/src`. For example:
+     ```
+     rules/test/js/your-js-rule.js
+     ```
+   - Test filenames should match the rule ID and filename, but with the correct file extension (e.g., `.js` for JavaScript tests). Example:
+     - Rule filename: `your-js-rule.yml`
+     - Test file: `your-js-rule.js`.
+
+## Rule Metadata
+
+In order for our rules to be rendered correctly within GitHub we require additional metadata properties. The screenshots below illustrate how these properties are displayed within GitHub's inline rule warnings and on the detailed rule information page.
+
+**Example Rule: hello-world**
+
+```
+rules:
+  - id: hello-world
+    languages:
+      - js
+    severity: INFO
+    metadata:
+      tags: [security]
+      shortDescription: Hello, World!
+      help: "The Security Code Scanner is here to help review your code for vulnerabilities."
+      confidence: HIGH
+    message: We saw you said hello world and wanted to say hi back!
+    pattern: |
+      console.log("Hello, World!");
+```
+
+**Metadata shown on the code scanning alert details page**
+<img width="600" alt="" src="https://github.com/user-attachments/assets/d3b79ddf-ab79-46ef-83d7-035fe41fa2fb" />
+
+**Metadata shown on an inline code scanning alert**
+<img width="600" alt="" src="https://github.com/user-attachments/assets/e918311f-94d8-4be0-86d8-cc6c30853740" />
+
+## Writing Tests For Your Rules
+
+Testing is a critical step in ensuring the quality and reliability of your rules. Follow these steps:
+
+1. **Write Thorough Test Cases**
+   - Test files can include:
+     - **Positive cases**: Examples where the rule should trigger.
+     - **Negative cases**: Examples where the rule should not trigger.
+   - Refer to the [Semgrep documentation on testing rules](https://semgrep.dev/docs/writing-rules/testing-rules) for more detailed guidance.
+
+2. **Validate Rule Syntax**
+   - Use the `bin/validate-rules` script to check for syntax errors:
+     ```bash
+     ./bin/validate-rules
+     ```
+
+3. **Run Tests**
+   - Use the `bin/test` script to verify that your rule behaves as expected:
+     ```bash
+     ./bin/test
+     ```
+
+## Testing Rules Against Local Repositories
+
+If you would like to test your rules against a local folder or directory on your machine, you can run the following command to perform a local scan:
+
+```bash
+./bin/scan path/to/directory
+```
+
+Note that Semgrep will scan _all_ files within the specified directory. In other words, if the directory contains multiple repositories, all of them will be scanned at once.
+
+## Contribution Workflow
+
+1. Create a new branch from the main branch for your changes.
+2. Add or update rule files and test cases as outlined above.
+3. Run the `bin/validate-rules` and `bin/test` scripts to ensure your changes are valid.
+4. Open a pull request with a clear explanation of the rule's purpose.
+
+## Notes
+
+- Always consider the specific needs and contexts of your codebase when writing rules. Rules should help identify issues or enforce patterns relevant to security.
+- If you encounter challenges or have questions, please reach out to @witmicko.

packages/semgrep-action/README.md

@@ -0,0 +1,15 @@
+# Security Code Scanner - Semgrep Action
+
+This repository is home to the GitHub action workflow that will run perform a semgrep scan on a checked out repository. After the scan is complete, the results will be uploaded to GitHub's Code Scanning API.
+
+## Usage
+
+```
+- name: Semgrep Scan
+    uses: metamask/security-codescanner-monorepo/packages/semgrep-action@main
+    with:
+        # optional string parameter
+        paths_ignored: ...
+```
+
+For information on how to contribute rules to this repository, please see the CONTRIBUTING.md file in this package.

packages/semgrep-action/action.yml

@@ -0,0 +1,42 @@
+name: Security Code Scanner - Semgrep
+description: 'Runs a Semgrep scan on a repository and uploads the results to GitHub'
+
+inputs:
+  paths_ignored:
+    description: 'List of paths or patterns to ignore'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Copy Semgrep Action Files to Workspace Root
+      run: |
+        echo "Copying Semgrep action files to workspace root for flat structure..."
+        cp -r ${{ github.action_path }}/rules ${{ github.workspace }}/
+        echo "Files copied. Semgrep rules structure:"
+        ls -la ${{ github.workspace }}/rules/
+      shell: bash
+
+    - name: Install Semgrep
+      run: |
+        pip install semgrep
+      shell: bash
+
+    - name: Generate .semgrepignore
+      run: |
+        echo "${{ inputs.paths_ignored }}" > .semgrepignore
+        cat .semgrepignore
+      shell: bash
+
+    - name: Run Semgrep Scan
+      run: |
+        semgrep --config ./rules/src --output semgrep-results.sarif --sarif --verbose
+      shell: bash
+      continue-on-error: true
+
+    - name: Upload Semgrep Results to GitHub
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: semgrep-results.sarif
+        checkout_path: ${{ github.workspace }}

packages/semgrep-action/bin/scan

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Run semgrep locally against a directory
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <path/to/directory>"
+    exit 1
+fi
+
+# Run semgrep locally against the provided directory
+semgrep --config rules/src/ "$1"

packages/semgrep-action/bin/test

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Run semgrep test cases for specific rules
+semgrep --test --config rules/src/ rules/test/

packages/semgrep-action/bin/validate-rules

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Validate config is valid before testing
+semgrep --validate --config ./rules/src

packages/semgrep-action/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@metamask/semgrep-action",
+  "version": "1.0.0",
+  "private": true,
+  "description": "Semgrep-based security scanning action",
+  "keywords": [
+    "security",
+    "semgrep",
+    "github-action"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git@github.com:MetaMask/security-codescanner-monorepo.git"
+  },
+  "license": "ISC",
+  "author": "witmicko",
+  "scripts": {
+    "lint": "prettier '**/*.json' '**/*.md' '**/*.yml' --check --ignore-path .gitignore --no-error-on-unmatched-pattern",
+    "lint:fix": "prettier '**/*.json' '**/*.md' '**/*.yml' --write --ignore-path .gitignore --no-error-on-unmatched-pattern",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  }
+}

packages/semgrep-action/rule.template.yml

@@ -0,0 +1,20 @@
+# This template contains the minimum required fields for our Semgrep rules.
+# For detailed guidance on additional fields and best practices, refer to: https://semgrep.dev/docs/writing-rules/overview
+
+rules:
+  - id: # Rule identifier - should match the file name (excluding the extension) for consistency and easy traceability.
+    languages:
+      - "..." # See https://semgrep.dev/docs/supported-languages#language-support for supported languages
+    severity: "..." # Options are INFO, WARN, ERROR. See See https://semgrep.dev/docs/writing-rules/rule-syntax#required
+    metadata:
+      tags: [security]
+      shortDescription: "..." # In GitHub's UI, this is the title of the rule. Keep it concise but descriptive.
+      help: "..." # Used to provide help documentation, or other resources to help users understand and resolve the finding.
+      confidence:
+        "..." # Confidence level of the rule match.
+        # - LOW: Matches are likely false positives or require significant manual review.
+        # - MEDIUM: Matches are often correct but may occasionally require review.
+        # - HIGH: Matches are almost always accurate.
+    message: "..." # Message shown to the user underneath the `shortDescription` once a rule is triggered.
+    pattern:
+      "..." # Add rule pattern here