feature: semgrep

Author: andrzej-janczak

.codacy/codacy.yaml

@@ -6,3 +6,4 @@ tools:
     - [email protected]
     - [email protected]
     - [email protected]
+    - [email protected]

cmd/analyze.go

@@ -226,6 +226,18 @@ func runPylintAnalysis(workDirectory string, pathsToCheck []string, outputFile s
 	}
 }
 
+func runSemgrepAnalysis(workDirectory string, pathsToCheck []string, outputFile string, outputFormat string) {
+	semgrep := config.Config.Tools()["semgrep"]
+	if semgrep == nil {
+		log.Fatal("Semgrep tool configuration not found")
+	}
+
+	err := tools.RunSemgrep(workDirectory, semgrep, pathsToCheck, outputFile, outputFormat)
+	if err != nil {
+		log.Fatalf("Failed to run Semgrep analysis: %v", err)
+	}
+}
+
 var analyzeCmd = &cobra.Command{
 	Use:   "analyze",
 	Short: "Runs all configured linters.",
@@ -312,6 +324,8 @@ func runTool(workDirectory string, toolName string, args []string, outputFile st
 		runPmdAnalysis(workDirectory, args, outputFile, outputFormat)
 	case "pylint":
 		runPylintAnalysis(workDirectory, args, outputFile, outputFormat)
+	case "semgrep":
+		runSemgrepAnalysis(workDirectory, args, outputFile, outputFormat)
 	default:
 		log.Printf("Warning: Unsupported tool: %s\n", toolName)
 	}

plugins/tools/semgrep/plugin.yaml

@@ -0,0 +1,16 @@
+name: semgrep
+description: Static Analysis Security Testing (SAST) tool
+runtime: python
+runtime_binaries:
+  package_manager: python3
+  execution: python3
+binaries:
+  - name: python
+    path: "venv/bin/python3"
+formatters:
+  - name: json
+    flag: "--json"
+output_options:
+  file_flag: "--output"
+analysis_options:
+  default_path: "."

tools/semgrepRunner.go

@@ -0,0 +1,62 @@
+package tools
+
+import (
+	"codacy/cli-v2/plugins"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+// RunSemgrep executes Semgrep analysis on the specified directory
+func RunSemgrep(workDirectory string, toolInfo *plugins.ToolInfo, files []string, outputFile string, outputFormat string) error {
+	// Get Python binary from venv
+	pythonPath := filepath.Join(toolInfo.InstallDir, "venv", "bin", "python3")
+
+	// Construct base command with -m semgrep to run semgrep module
+	cmdArgs := []string{"-m", "semgrep", "scan"}
+
+	// Add output format if specified
+	if outputFormat == "sarif" {
+		cmdArgs = append(cmdArgs, "--sarif")
+	}
+
+	// add --config auto
+	cmdArgs = append(cmdArgs, "--config", "auto")
+
+	// Add files to analyze - if no files specified, analyze current directory
+	if len(files) > 0 {
+		cmdArgs = append(cmdArgs, files...)
+	} else {
+		cmdArgs = append(cmdArgs, ".")
+	}
+
+	// Create Semgrep command
+	cmd := exec.Command(pythonPath, cmdArgs...)
+	cmd.Dir = workDirectory
+
+	// If output file is specified, create it and redirect output
+	var outputWriter *os.File
+	var err error
+	if outputFile != "" {
+		outputWriter, err = os.Create(filepath.Clean(outputFile))
+		if err != nil {
+			return fmt.Errorf("failed to create output file: %w", err)
+		}
+		defer outputWriter.Close()
+		cmd.Stdout = outputWriter
+	} else {
+		cmd.Stdout = os.Stdout
+	}
+	cmd.Stderr = os.Stderr
+
+	// Run Semgrep
+	if err := cmd.Run(); err != nil {
+		// Semgrep returns non-zero exit code when it finds issues, which is expected
+		if _, ok := err.(*exec.ExitError); !ok {
+			return fmt.Errorf("failed to run semgrep: %w", err)
+		}
+	}
+
+	return nil
+}