Semgrep - Prevent from calling semgrep servers and use our stable rules by default by fproulx-boostsecurity · Pull Request #204 · boostsecurityio/dev-registry

fproulx-boostsecurity · 2025-03-25T20:27:30Z

Updated semgrep to latest version (for Semgrep Pro also)
Added POSIX-compliant rule validation logic to assert that auto or equivalent (p/python, etc.) is not used
Disabled semgrep metrics, which hard crashes if the validation logic would get bypassed somehow
Point to new default stable Boost curated rules set hosted on our assets CDN on S3
Smoke tests with attempt to use auto (should fail)
Smoke tests default value
Tested on GitHub Actions
Tested on Gitlab (can be done once we merged this PR to dev registry)
@guilbocz-boost validated that no customer used custom rules (except one, which uses Semgrep Pro with their license) - https://docs.google.com/spreadsheets/d/1TfPvkVdUkndf6ZAZUyy96lj32kSOa80Q3vr4Uy_-Sw4/edit?gid=0#gid=0

Prevent from calling semgrep servers and use our stable rules by default

f1308c3

fproulx-boostsecurity marked this pull request as draft March 25, 2025 21:03

fproulx-boostsecurity added 4 commits March 26, 2025 11:32

Add assertion

88dc9ed

Updated semgrep engine

aa2c127

Fixed validation

f032777

Make validation POSIX compliant

3db554e

fproulx-boostsecurity marked this pull request as ready for review March 26, 2025 16:52

fproulx-boostsecurity requested review from Franck-Boost, SUSTAPLE117, guilbocz-boost, lindycoder and stlef14 March 26, 2025 16:52

SUSTAPLE117 approved these changes Mar 26, 2025

View reviewed changes

fproulx-boostsecurity merged commit 957386c into main Mar 26, 2025
4 checks passed

fproulx-boostsecurity added a commit that referenced this pull request Oct 22, 2025

Update version of several scanners (#204)

29d66c3

fproulx-boostsecurity deleted the feature/prevent-phoning-home-to-semgrep branch December 3, 2025 20:46

Provide feedback