chore: upgrade Semgrep to latest (#11)

Needed by #10, latest version fixes a bug with the `--validate` command (which causes the CI to fail). Version is also ancient thus needs upgrading

Author: NyanKiyoshi

.github/workflows/action-run-semgrep.yaml

@@ -36,7 +36,7 @@ on:
           - p/python (public library)
           - ./rules/my-rule.yaml (single YAML file)
           - ./my-rules/ (directory of N YAML files)
-          
+
           By default the rules will be added on top of this workflow's default rules
           (see the input `use_default_config` and the environment variable
           `DEFAULT_CONFIG` for more information).
@@ -80,10 +80,10 @@ jobs:
   scan:
     if: (github.actor != 'dependabot[bot]')
     name: semgrep/ci
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     container:
       # Note: the non-root flavor doesn't work on GHA (e.g., 1.57.0-nonroot).
-      image: returntocorp/semgrep@sha256:396f4ad7a655289e764ab2f92733e6195c166ff2f042e0d40505a5850432b9ac # 1.63.0
+      image: returntocorp/semgrep:1.153.1@sha256:50b839b576d76426efd3e5cffda2db0d8c403f53aa76e91d42ccf51485ac336c
 
     steps:
       # Clone the invoker's repository.
@@ -119,7 +119,7 @@ jobs:
           EXCLUDE_RULES: ${{ inputs.exclude_rules }}
         run: |
           set -u -o pipefail
-          
+
           cmd_args=(
               # Do not check for version update as we are inside a CI.
               "--disable-version-check"
@@ -131,32 +131,32 @@ jobs:
               # the users to be explicit.
               "--no-git-ignore"
           )
-          
+
           # Add extra logging if the runner was run with debug logging.
           test -z "${RUNNER_DEBUG+x}" || cmd_args+=( "--verbose" )
-          
+
           if [ "$USE_DEFAULT_CONFIG" == true ]; then
             CONFIG_PATHS="$DEFAULT_CONFIG $CONFIG_PATHS"
           fi
-          
+
           if [ "$USE_DEFAULT_EXCLUDE_RULES" == true ]; then
             EXCLUDE_RULES="$DEFAULT_EXCLUDE_RULE_IDS $EXCLUDE_RULES"
           fi
-          
+
           # Gather the config input whitespace-separate value
           # into a list of `--config=<value>` arguments.
           read -d '' -r -a configs < <(echo "$CONFIG_PATHS") || true
           for cfg in "${configs[@]}"; do
             cmd_args+=( "--config=$cfg" )
           done
-          
+
           # Gather the excluded rules ID into a list
           # of `--exclude-rule=<value>` arguments.
           read -d '' -r -a exclude_rules < <(echo "$EXCLUDE_RULES") || true
           for excluded_rule_id in "${exclude_rules[@]}"; do
             cmd_args+=( "--exclude-rule=$excluded_rule_id" )
           done
-          
+
           semgrep ci "${cmd_args[@]}"
 
       - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # 4.3.0
@@ -176,7 +176,7 @@ jobs:
     needs:
       - scan
     name: SARIF to PR Annotations
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     container:
       # Note: distroless flavor doesn't work on GHA.
       image: ghcr.io/nyankiyoshi/less-advanced-security@sha256:689f73bed448ce40ca4ed01f6585f22665c0c302ed0e882d1fc78016c12f2880 # 0.5.0

.github/workflows/test-rules.yaml

@@ -1,14 +1,17 @@
 name: Test Semgrep Rules
 on:
   push:
+    branches: [main]
   pull_request:
 
+permissions: {}
+
 jobs:
   main:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
-    # Note: the non-root flavor doesn't work on GHA (e.g., 1.56.0-nonroot).
-    container: returntocorp/semgrep@sha256:396f4ad7a655289e764ab2f92733e6195c166ff2f042e0d40505a5850432b9ac # 1.63.0
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -17,22 +20,12 @@ jobs:
       # Checks for syntax errors and runs 'p/semgrep-rule-lints'.
       - name: Validate Rules
         shell: bash
-        run: |
-          config_args=()
-
-          # As of semgrep 1.58.0, hidden directories are no longer excluded
-          # when passing "--validate ./" thus we need to manually exclude hidden
-          # directories.
-          while IFS= read -r -d '' dir; do
-            config_args+=( "--config=$dir" )
-          done < <(find . -maxdepth 1 -mindepth 1 -type d -not -path '*/\.*' -print0)
-          
-          semgrep scan --validate "${config_args[@]}"
+        run: make validate
 
       - name: Test Rules
-        run: semgrep --test ./
+        run: make test
 
       # This runs the rules from https://github.com/semgrep/semgrep-rules/tree/835867f89e4ba07f8bb4a6a1619507408e63e9b0/yaml/semgrep
       # to ensure best practices are followed. The CI will only fail on error.
       - name: Run Semgrep Rules Recommendation Checks
-        run: semgrep --config=r/yaml.semgrep --severity ERROR ./
+        run: make checks

Makefile

@@ -0,0 +1,34 @@
+semgrep_image ?= returntocorp/semgrep:1.153.1@sha256:50b839b576d76426efd3e5cffda2db0d8c403f53aa76e91d42ccf51485ac336c
+semgrep_container = \
+	docker run \
+		--rm \
+		-v "$(PWD)":/src:ro \
+		-w /src \
+		$(semgrep_image) \
+		semgrep
+
+# List of all rules in our project
+configs = \
+	--config=./yaml/ \
+	--config=./typescript/
+
+all: validate test checks
+
+# Check rules are valid
+validate:
+	$(semgrep_container) \
+		--validate \
+		$(configs)
+
+# Run test files
+test:
+	$(semgrep_container) \
+		--test \
+		./
+
+# Run official recommendation checks
+checks:
+	$(semgrep_container) \
+		--config=r/yaml.semgrep \
+		--severity=ERROR \
+		./