DWN-51053: Added semgrep to new config.yml

2024-03-11 11:34:18 +00:00 · 2024-03-11 11:34:18 +00:00 · 19ceb2053c
parent fae4cc43e8
commit 19ceb2053c
1 changed files with 43 additions and 1 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -6,7 +6,7 @@ parameters:
    default: false

 orbs:
-  gresham: gresham-computing/gresham-orb@5.1.0
+  gresham: gresham-computing/gresham-orb@5.8.0

 executors:
  docker-executor:
@ -16,6 +16,10 @@ executors:
          aws_access_key_id: $GIS_PRD_ECR_INT_BUILD_ACCESS_KEY
          aws_secret_access_key: $GIS_PRD_ECR_INT_BUILD_SECRET_ACCESS_KEY

+  linux-machine:
+    machine:
+      image: ubuntu-2204:2023.10.1
+
 jobs:
  build-and-deploy:
    executor: docker-executor
@ -83,6 +87,22 @@ jobs:
      - gresham/whitelist-remove:
          pattern: OpenId

+  semgrep-scan:
+    executor: linux-machine
+    resource_class: medium
+    steps:
+      - checkout
+      - gresham/get-whitelister
+      - gresham/whitelist-add:
+          pattern: OpenId
+          kondukto: true
+      - gresham/semgrep-scan:
+          kondukto: true
+          konduktoProject: "openid-connect-server"
+          konduktoBranch: "${CIRCLE_BRANCH}"
+      - gresham/whitelist-remove:
+          pattern: OpenId
+          kondukto: true
 workflows:
  build-and-test:
    unless: << pipeline.parameters.release >>
@ -112,6 +132,28 @@ workflows:
            branches:
              only: 1.3.x

+  semgrep-scan:
+    when: << pipeline.parameters.semgrep_scan >>
+    jobs:
+      - semgrep-scan:
+          context:
+            - gresham-aws
+            - CircleCi-Gresham-Credentials
+
+  scheduled-security-scan:
+    triggers:
+      - schedule:
+          cron: 0 4 * * 1
+          filters:
+            branches:
+              only: main
+    jobs:
+      - semgrep-scan:
+          name: Semgrep Scan
+          context:
+            - gresham-aws
+            - CircleCi-Gresham-Credentials
+
 commands:
  setup-git-credentials:
    steps: