forked from openemr/openemr
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrun-semgrep.sh
More file actions
executable file
·149 lines (136 loc) · 3.82 KB
/
run-semgrep.sh
File metadata and controls
executable file
·149 lines (136 loc) · 3.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/bin/bash
#
# Run Semgrep on OpenEMR PHP code using Docker
#
# Usage:
# ./run-semgrep.sh [options]
#
# Options:
# --output-format <format> Output format: text, json, sarif (default: text)
# --output-file <file> Write results to file instead of stdout
# --config <config> Semgrep config/ruleset (default: uses registry + local rules)
# --severity <level> Filter by severity: INFO, WARNING, ERROR (can repeat)
# --exclude <pattern> Additional patterns to exclude
# --help Show this help message
#
set -e
# Default values
OUTPUT_FORMAT="text"
OUTPUT_FILE=""
CONFIG="" # Empty means use default (registry + local)
SEVERITY=""
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Arrays for building arguments
declare -a EXTRA_EXCLUDES=()
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--output-format)
OUTPUT_FORMAT="$2"
shift 2
;;
--output-file)
OUTPUT_FILE="$2"
shift 2
;;
--config)
CONFIG="$2"
shift 2
;;
--severity)
SEVERITY="$2"
shift 2
;;
--exclude)
EXTRA_EXCLUDES+=("--exclude=$2")
shift 2
;;
--help)
head -20 "$0" | tail -15 || true
exit 0
;;
*)
echo "Unknown option: $1"
exit 1
;;
esac
done
# Standard excludes for OpenEMR (matches CI workflow)
declare -a EXCLUDES=(
"--exclude=vendor"
"--exclude=node_modules"
"--exclude=tests"
"--exclude=ccdaservice/node_modules"
"--exclude=Documentation"
"--exclude=*.mustache"
)
# Exclude default p/php rules that we override in semgrep.yaml with OpenEMR sanitizers
declare -a EXCLUDE_RULES=(
"--exclude-rule=php.lang.security.injection.echoed-request.echoed-request"
"--exclude-rule=php.lang.security.injection.printed-request.printed-request"
)
# Build output arguments
declare -a OUTPUT_ARGS=()
if [[ -n "${OUTPUT_FILE}" ]]; then
OUTPUT_ARGS+=("--output=${OUTPUT_FILE}")
fi
# Build format argument (text is default, only specify for json/sarif)
declare -a FORMAT_ARG=()
if [[ "${OUTPUT_FORMAT}" = "json" ]]; then
FORMAT_ARG+=("--json")
elif [[ "${OUTPUT_FORMAT}" = "sarif" ]]; then
FORMAT_ARG+=("--sarif")
fi
# Build severity argument (can specify multiple: INFO, WARNING, ERROR)
declare -a SEVERITY_ARG=()
if [[ -n "${SEVERITY}" ]]; then
for sev in ${SEVERITY}; do
SEVERITY_ARG+=("--severity=${sev}")
done
fi
# Build config args
declare -a CONFIG_ARGS=()
if [[ -n "${CONFIG}" ]]; then
# User-specified config
for cfg in ${CONFIG}; do
if [[ -f "${cfg}" ]]; then
cfg="/src/$(basename "${cfg}")"
fi
CONFIG_ARGS+=("--config=${cfg}")
done
echo "Config: ${CONFIG}"
else
# Default: registry rulesets + local OpenEMR-specific rules
CONFIG_ARGS+=(
"--config=p/php"
"--config=p/security-audit"
"--config=p/javascript"
"--config=p/nodejs"
"--config=/src/semgrep.yaml"
)
echo "Config: p/php p/security-audit p/javascript p/nodejs semgrep.yaml"
fi
echo "Running Semgrep on OpenEMR code..."
if [[ -n "${SEVERITY}" ]]; then
echo "Severity filter: ${SEVERITY}"
fi
echo "Output format: ${OUTPUT_FORMAT}"
echo ""
# Run Semgrep in Docker using official semgrep/semgrep image
# Semgrep Docker image expects /src as mount point
docker run --rm \
-v "${SCRIPT_DIR}:/src" \
-w /src \
semgrep/semgrep:latest \
semgrep \
"${CONFIG_ARGS[@]}" \
"${SEVERITY_ARG[@]}" \
"${FORMAT_ARG[@]}" \
--no-git-ignore \
"${EXCLUDES[@]}" \
"${EXCLUDE_RULES[@]}" \
"${EXTRA_EXCLUDES[@]}" \
"${OUTPUT_ARGS[@]}" \
.
echo ""
echo "Semgrep scan complete."