ci: add semgrep check (#360)

venikkin · web-flow · commit 03fb1d35c064 · 2026-01-14T10:35:31.000Z
diff --git a/.teamcity/builds/Build.kt b/.teamcity/builds/Build.kt
@@ -22,6 +22,8 @@ class Build(
             buildType(WhiteListCheck("${name}-whitelist-check", "white-list check"))
         if (forPullRequests) dependentBuildType(PRCheck("${name}-pr-check", "pr check"))
         parallel {
+          dependentBuildType(SemgrepCheck("${name}-semgrep-check", "semgrep check"))
+
           listOf("17", "21").forEach { java ->
             dependentBuildType(
                 Maven(
diff --git a/.teamcity/builds/Common.kt b/.teamcity/builds/Common.kt
@@ -16,6 +16,11 @@ const val MAVEN_DEFAULT_ARGS = "--no-transfer-progress --batch-mode --show-versi
 const val DEFAULT_JAVA_VERSION = "17"
 const val LTS_JAVA_VERSION = "21"
 
+const val SEMGREP_DOCKER_IMAGE = "semgrep/semgrep:1.146.0"
+
+const val FULL_GITHUB_REPOSITORY = "$GITHUB_OWNER/$GITHUB_REPOSITORY"
+const val GITHUB_URL = "https://github.com/$FULL_GITHUB_REPOSITORY"
+
 enum class LinuxSize(val value: String) {
   SMALL("small"),
   LARGE("large")
diff --git a/.teamcity/builds/Maven.kt b/.teamcity/builds/Maven.kt
@@ -2,22 +2,25 @@ package builds
 
 import jetbrains.buildServer.configs.kotlin.BuildType
 import jetbrains.buildServer.configs.kotlin.buildFeatures.dockerSupport
+import jetbrains.buildServer.configs.kotlin.buildSteps.MavenBuildStep
 import jetbrains.buildServer.configs.kotlin.toId
 
-class Maven(
+open class Maven(
     id: String,
     name: String,
     goals: String,
     args: String? = null,
     javaVersion: String = DEFAULT_JAVA_VERSION,
-    size: LinuxSize = LinuxSize.SMALL
+    size: LinuxSize = LinuxSize.SMALL,
+    mavenVersion: MavenBuildStep.MavenVersion? = null,
 ) :
     BuildType({
       this.id(id.toId())
       this.name = name
 
       steps {
         runMaven(javaVersion) {
+          this.mavenVersion = mavenVersion
           this.goals = goals
           this.runnerArgs = "$MAVEN_DEFAULT_ARGS ${args ?: ""}"
         }
diff --git a/.teamcity/builds/NightlyBuild.kt b/.teamcity/builds/NightlyBuild.kt
@@ -0,0 +1,49 @@
+package builds
+
+import jetbrains.buildServer.configs.kotlin.Project
+import jetbrains.buildServer.configs.kotlin.sequential
+import jetbrains.buildServer.configs.kotlin.toId
+import jetbrains.buildServer.configs.kotlin.triggers.schedule
+import jetbrains.buildServer.configs.kotlin.triggers.vcs
+
+class NightlyBuild(name: String): Project({
+    this.id(name.toId())
+    this.name = name
+
+    val complete = Empty("${name}-complete", "complete")
+
+    val bts = sequential {
+        dependentBuildType(SemgrepCheck("${name}-semgrep-check", "semgrep check"))
+        dependentBuildType(complete)
+    }
+
+    bts.buildTypes().forEach {
+        it.thisVcs()
+
+        it.features {
+            enableCommitStatusPublisher()
+        }
+
+        buildType(it)
+    }
+
+    complete.triggers {
+        vcs { enabled = false }
+
+        schedule {
+            branchFilter = buildString {
+                appendLine("+:main")
+                appendLine("+:refs/heads/main")
+            }
+            schedulingPolicy = daily {
+                hour = 7
+                minute = 0
+            }
+            triggerBuild = always()
+            withPendingChangesOnly = false
+            enforceCleanCheckout = true
+            enforceCleanCheckoutForDependencies = true
+        }
+    }
+
+})
diff --git a/.teamcity/builds/SemgrepCheck.kt b/.teamcity/builds/SemgrepCheck.kt
@@ -0,0 +1,35 @@
+package builds
+
+import jetbrains.buildServer.configs.kotlin.buildSteps.MavenBuildStep
+import jetbrains.buildServer.configs.kotlin.buildSteps.ScriptBuildStep
+
+class SemgrepCheck(
+    id: String,
+    name: String
+): Maven(
+    id,
+    name,
+    "dependency:tree",
+    "-DoutputFile=maven_dep_tree.txt",
+    mavenVersion = MavenBuildStep.MavenVersion.Bundled_3_9()
+) {
+
+    init {
+
+        params.password("env.SEMGREP_APP_TOKEN", "%semgrep-app-token%")
+        params.text("env.SEMGREP_REPO_NAME", FULL_GITHUB_REPOSITORY)
+        params.text("env.SEMGREP_REPO_URL", GITHUB_URL)
+        params.text("env.SEMGREP_BRANCH", "%teamcity.build.branch%")
+        params.text("env.SEMGREP_JOB_URL", "%env.BUILD_URL%")
+        params.text("env.SEMGREP_COMMIT", "%env.BUILD_VCS_NUMBER%")
+
+        steps.step(ScriptBuildStep {
+            scriptContent="semgrep ci --no-git-ignore"
+            dockerImagePlatform = ScriptBuildStep.ImagePlatform.Linux
+            dockerImage = SEMGREP_DOCKER_IMAGE
+            dockerRunParameters =
+                "--volume /var/run/docker.sock:/var/run/docker.sock --volume %teamcity.build.checkoutDir%/signingkeysandbox:/root/.gnupg"
+        })
+    }
+
+}
diff --git a/.teamcity/settings.kts b/.teamcity/settings.kts
@@ -1,4 +1,5 @@
 import builds.Build
+import builds.NightlyBuild
 import jetbrains.buildServer.configs.kotlin.project
 import jetbrains.buildServer.configs.kotlin.version
 
@@ -11,6 +12,7 @@ project {
     password("signing-key-passphrase", "%publish-signing-key-password%")
     password("github-commit-status-token", "%github-token%")
     password("github-pull-request-token", "%github-token%")
+    password("semgrep-app-token", "%semgrep-token%")
   }
 
   subProject(
@@ -37,4 +39,5 @@ project {
               """
                   .trimIndent(),
           forPullRequests = true))
+  subProject(NightlyBuild("nightly"))
 }
