diff --git a/docs/kb/semgrep-ci/bitbucket-jenkins.md b/docs/kb/semgrep-ci/bitbucket-jenkins.md index 7c4730815..d57ffc992 100644 --- a/docs/kb/semgrep-ci/bitbucket-jenkins.md +++ b/docs/kb/semgrep-ci/bitbucket-jenkins.md @@ -82,33 +82,38 @@ The following code snippets are sample Jenkinsfile that defines both of these ac ```groovy pipeline { agent any - environment { - SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN') - SEMGREP_BASELINE_REF = "origin/main" - } - stages { - stage('Semgrep-Scan') { - steps { - script { - if (env.BITBUCKET_PULL_REQUEST_ID) { - echo "Semgrep diff scan" - sh '''git checkout ${BITBUCKET_PULL_REQUEST_LATEST_COMMIT_FROM_SOURCE_BRANCH}''' - sh '''git fetch origin +ref/heads/*:refs/remotes/origin/*''' - sh '''docker run \ - -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ - -e SEMGREP_PR_ID=${BITBUCKET_PULL_REQUEST_ID} \ - -e SEMGREP_BASELINE_REF=$SEMGREP_BASELINE_REF \ - -v "$(pwd):$(pwd)" --workdir $(pwd) \ - semgrep/semgrep semgrep ci''' - } - else { - echo "Semgrep full scan" - sh '''docker run \ - -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ - -v "$(pwd):$(pwd)" --workdir $(pwd) \ - semgrep/semgrep semgrep ci''' - } - } + environment { + // The following variable is required for a Semgrep AppSec Platform-connected scan: + SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN') + + // Uncomment the following line to scan changed + // files in PRs or MRs (diff-aware scanning): + // SEMGREP_BASELINE_REF = "main" + + // Troubleshooting: + + // Uncomment the following lines if Semgrep AppSec Platform > Findings Page does not create links + // to the code that generated a finding or if you are not receiving PR or MR comments. + // SEMGREP_JOB_URL = "${BUILD_URL}" + // SEMGREP_COMMIT = "${GIT_COMMIT}" + // SEMGREP_BRANCH = "${GIT_BRANCH}" + // SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*).git$/, '$1') + // SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1') + // SEMGREP_PR_ID = "${env.CHANGE_ID}" + } + stages { + stage('Semgrep-Scan') { + steps { + sh '''docker pull semgrep/semgrep && \ + docker run \ + -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ + -e SEMGREP_REPO_URL=$SEMGREP_REPO_URL \ + -e SEMGREP_REPO_NAME=$SEMGREP_REPO_NAME \ + -e SEMGREP_BRANCH=$SEMGREP_BRANCH \ + -e SEMGREP_COMMIT=$SEMGREP_COMMIT \ + -e SEMGREP_PR_ID=$SEMGREP_PR_ID \ + -v "$(pwd):$(pwd)" --workdir $(pwd) \ + semgrep/semgrep semgrep ci ''' } } } @@ -129,18 +134,17 @@ pipeline { BITBUCKET_TOKEN = credentials('FS_BITBUCKET_TOKEN') // Uncomment the following line to scan changed - // files in PRs or MRs (diff-aware scanning): + // files in PRs (diff-aware scanning): // SEMGREP_BASELINE_REF = "${env.CHANGE_ID != null ? 'main' : ''}" + // SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/YOUR_BITBUCKET_DATA_CENTER_URL\/scm\/(.*).git$/, '$1') + // SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(https:\/\/.*?)\/scm\/(.*)\/(.*)\.git$/, '$1/projects/$2/repos/$3') + // SEMGREP_COMMIT = "${GIT_COMMIT}" // Troubleshooting: - // Uncomment the following lines if Semgrep AppSec Platform > Findings Page does not create links - // to the code that generated a finding or if you are not receiving PR or MR comments. + // to the code that generated a finding or if you are not receiving PR comments. // SEMGREP_JOB_URL = "${BUILD_URL}" - // SEMGREP_COMMIT = "${GIT_COMMIT}" // SEMGREP_BRANCH = "${GIT_BRANCH}" - // SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/YOUR_BITBUCKET_DATA_CENTER_URL\/scm\/(.*).git$/, '$1') - // SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(https:\/\/.*?)\/scm\/(.*)\/(.*)\.git$/, '$1/projects/$2/repos/$3') // SEMGREP_PR_ID = "${env.CHANGE_ID != null ? env.CHANGE_ID : ''}" SEMGREP_APP_URL = "https://semgrep.dev" } @@ -192,12 +196,14 @@ To set up a Freestyle project to scan your Bitbucket projects with Semgrep: BASELINE_REF_ORIGIN="origin/$BASELINE_REF" REPO_URL=$GIT_URL REPO_NAME=$(echo "$GIT_URL" | awk -F'/' '{print $(NF-1)"/"$(NF)}' | sed 's/.git$//') + SEMGREP_COMMIT=$GIT_COMMIT ## Merge or push to primary branch if [ $BITBUCKET_SOURCE_BRANCH = $BASELINE_REF ]; then docker run -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ -e SEMGREP_REPO_URL=$REPO_URL \ -e SEMGREP_REPO_NAME=$REPO_NAME \ + -e SEMGREP_COMMIT=$SEMGREP_COMMIT \ -v "$(pwd):$(pwd)" --workdir $(pwd) \ semgrep/semgrep semgrep ci ## pull request scans diff --git a/docs/kb/semgrep-ci/jenkins-diff-scans.md b/docs/kb/semgrep-ci/jenkins-diff-scans.md index be0b2ba3e..d50cea24b 100644 --- a/docs/kb/semgrep-ci/jenkins-diff-scans.md +++ b/docs/kb/semgrep-ci/jenkins-diff-scans.md @@ -29,6 +29,10 @@ pipeline { SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN') // Set repo name to expected format SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/github.com\/(.*)$/, '$1') + + // Uncomment the follow if you do not see PR comments + // SEMGREP_COMMIT = "${GIT_COMMIT}" + // SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(.*).git$/,'$1') } stages { stage('semgrep-diff-scan') { @@ -44,6 +48,8 @@ pipeline { docker run \ -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ -e SEMGREP_REPO_NAME=$SEMGREP_REPO_NAME \ + -e SEMGREP_COMMIT=$SEMGREP_COMMIT \ + -e SEMGREP_REPO_URL=$SEMGREP_REPO_URL \ -e SEMGREP_BASELINE_REF=$(git merge-base $GIT_BRANCH $CHANGE_TARGET) \ -e SEMGREP_PR_ID="${env.CHANGE_ID}" -v "$(pwd):$(pwd)" --workdir $(pwd) \