Original Post: Introducing Semgrep for GitLab
Semgrep now offers first-class integration with GitLab through two main avenues: GitLab SAST and Semgrep CI. In GitLab SAST, Semgrep currently analyzes JavaScript, Python, and TypeScript, and additional languages will be supported soon. Through Semgrep CI, users can integrate Semgrep into their CI/CD workflows to review merge requests, leverage a repository of over 1,000 community rules, scan code in 17+ languages, and create custom rules with ease.
With GitLab 14, Semgrep replaces previous analyzers like Bandit and ESLint for the specified languages. Configuration involves adding the SAST.gitlab-ci.yml template to your .gitlab-ci.yml file. Semgrep has been optimized for performance and reliability, running extensive benchmarks and user interviews. GitLab is transitioning more analyzers to Semgrep and contributing to its open source project.
The Semgrep Registry contains community-driven rules for security, correctness, and performance, which can be added to pipelines. Semgrep results appear as merge request discussions, facilitating easy review and management of findings within the developer workflow. Merge request scans are faster since only changed files are analyzed. Custom rules can be created easily and integrated into CI configurations using the Semgrep Playground.
GitLab plans to further integrate Semgrep, expanding coverage to more languages and enhancing their CI/CD pipelines. User feedback on the integration is highly encouraged.
Go here to read the Original Post