Technical Discovery: Replace analyzers' scanners (linters) with Semgrep
Topic to Evaluate
Semgrep is a lightweight static analysis tool for many languages. We could use semgrep as a replacement for the underlying scanners used in SAST's analyzers. This issue should be used to compare the current semgrep ruleset offerings vs. our analyzers' scanners, specifically the linters.
- Technical Discovery: Custom analyzer rulesets for SAST & Secret Detection analyzers
- Update nodejs-scan sast analyzer to use njsscan v0.1.5 -- this issue updates njsscan to v0.1.5 which uses semgrep for the scanning
Tasks to Evaluate
-
Create a table comparing semgrep rulesets vs SAST analyzers' scanners -
Benchmark semgrep vs SAST analyzers's scanners
Risks and Implementation Considerations
Team
-
Add workflowplanning breakdown feature and the corresponding ~devops::<stage>
and~group::<group>
labels. -
Ping the PM and EM.