Semgrep is used for SAST tool.
Steps to get the SAST report:
- Checkout the code in your local directory from Github.
- Goto https://semgrep.dev/login/ & create the login
- docker run -it returntocorp/semgrep semgrep login
- Copy the URL provided in browser to Activate the token
- From Command prompt navigate to local folder where code is checked out from Github
- From command prompt copy the token & run below command with token
- docker run -e SEMGREP_APP_TOKEN=<token> --rm -v "<local repo>:/src" returntocorp/semgrep semgrep ci
- Check the report from SemGrep UI
Additional Info (For SVN repo):
Semgrep presently supports only Git project.
Hence if you are using SVN as code repository, then first convert the SVN to Git project (Details in link http://souravdalal.blogspot.com/2024/01/convert-svn-project-to-git-project.html)
Once done, you can ran the above steps on the for generating the report.
In case you get a error like "Unable to infer repo_url. Set SEMGREP_REPO_URL environment variable or run in a valid git project with remote origin defined", then add the git repository using below command
git remote add origin https://github.com/<repo_name>
This command should be run in an empty folder & run git init first
Incase, you want to dump the report to in local file then use below command
docker run -e SEMGREP_APP_TOKEN=<token> --rm -v "<local repo>:/src" returntocorp/semgrep semgrep ci > semrep_report.txt
No comments:
Post a Comment