feat: add Ruby SAST stage (#126)

README.md

@@ -158,7 +158,7 @@ pipelinit
       <td rowspan="1">Shell script</td>
       <td>Lint</td>
       <td>✔️</td>
-      <td rowspan="6">Coming soon</td>
+      <td rowspan="7">Coming soon</td>
     </tr>
     <tr>
       <td rowspan="2">Java</td>
@@ -170,14 +170,18 @@ pipelinit
       <td>✔️</td>
     </tr>
     <tr>
-      <td rowspan="2">Ruby</td>
+      <td rowspan="3">Ruby</td>
       <td>Lint</td>
       <td>✔️</td>
     </tr>
     <tr>
       <td>Format</td>
       <td>✔️</td>
     </tr>
+    <tr>
+      <td>SAST (Semgrep)</td>
+      <td>✔️</td>
+    </tr>
     <tr>
       <td rowspan="1">Markdown</td>
       <td>Lint</td>

core/plugins/stack/ruby/dependencies.ts

@@ -29,3 +29,11 @@ export const hasRubyDependency = async (
   const dependencies = await readDependencyFile(context);
   return dependencies.some((dep) => dep === dependencyName);
 };
+
+export const hasRubyDependencyAny = async (
+  context: Context,
+  dependencyList: Set<string>,
+): Promise<boolean> => {
+  const dependencies = await readDependencyFile(context);
+  return dependencies.some((dep) => dependencyList.has(dep));
+};

core/plugins/stack/ruby/mod.ts

@@ -5,6 +5,7 @@ import {
   Formatters,
   introspect as introspectFormatters,
 } from "./formatters.ts";
+import { introspect as introspectType } from "./types.ts";
 
 /**
  * Introspected information about a project with Ruby
@@ -19,6 +20,10 @@ export default interface RubyProject {
    */
   linters: Linters;
   formatters: Formatters;
+  /**
+   * Identified type of project
+   */
+  type?: string | null;
 }
 
 export const introspector: Introspector<RubyProject | undefined> = {
@@ -42,10 +47,14 @@ export const introspector: Introspector<RubyProject | undefined> = {
     const linters = await introspectLinters(context);
     const formatters = await introspectFormatters(context);
 
+    //Project type
+    const projectType = await introspectType(context);
+
     return {
       version: version,
       linters: linters,
       formatters: formatters,
+      type: projectType,
     };
   },
 };

core/plugins/stack/ruby/types.ts

@@ -0,0 +1,18 @@
+import { IntrospectFn } from "../../../types.ts";
+import { hasRubyDependencyAny } from "./dependencies.ts";
+
+const webApps = new Set([
+  "rails",
+  "rack",
+  "sinatra",
+  "hanami",
+  "padrino",
+  "roda",
+]);
+
+export const introspect: IntrospectFn<string | null> = async (context) => {
+  if (await hasRubyDependencyAny(context, webApps)) {
+    return "webApp";
+  }
+  return null;
+};

core/templates/github/ruby/sast.yaml

@@ -0,0 +1,19 @@
+name: SAST Ruby
+on:
+  pull_request:
+    paths:
+      - "**.rb"
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+<% if (it.type === "webApp") { -%>
+            p/owasp-top-ten
+<% } else {-%>
+            p/ci
+<% } -%>

tests/default_test.ts

@@ -104,6 +104,15 @@ test(
   },
 );
 
+test(
+  { fixture: "ruby/sinatra", args: ["--no-strict"] },
+  async (stdout, _stderr, code, assertExpectedFiles) => {
+    assertStringIncludes(stdout, "Detected stack: ruby");
+    assertEquals(code, 0);
+    await assertExpectedFiles();
+  },
+);
+
 test(
   { fixture: "docker/docker-lint-build", args: ["--no-strict"] },
   async (stdout, _stderr, code, assertExpectedFiles) => {

tests/fixtures/ruby/rubocop-lint/expected/.github/workflows/pipelinit.ruby.sast.yaml

@@ -0,0 +1,17 @@
+# Generated with pipelinit 0.3.0
+# https://pipelinit.com/
+name: SAST Ruby
+on:
+  pull_request:
+    paths:
+      - "**.rb"
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/ci

tests/fixtures/ruby/sinatra/expected/.github/workflows/pipelinit.ruby.format.yaml

@@ -0,0 +1,20 @@
+# Generated with pipelinit 0.3.0
+# https://pipelinit.com/
+name: Format Ruby
+on:
+  pull_request:
+    paths:
+      - "**.rb"
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0.2"
+          bundler-cache: true
+      - run: gem install
+      - run: gem install rubocop
+      - run: bundle exec rubocop --format .

tests/fixtures/ruby/sinatra/expected/.github/workflows/pipelinit.ruby.lint.yaml

@@ -0,0 +1,20 @@
+# Generated with pipelinit 0.3.0
+# https://pipelinit.com/
+name: Lint Ruby
+on:
+  pull_request:
+    paths:
+      - "**.rb"
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0.2"
+          bundler-cache: true
+      - run: gem install
+      - run: gem install rubocop
+      - run: bundle exec rubocop --lint .

tests/fixtures/ruby/sinatra/expected/.github/workflows/pipelinit.ruby.sast.yaml

@@ -0,0 +1,17 @@
+# Generated with pipelinit 0.3.0
+# https://pipelinit.com/
+name: SAST Ruby
+on:
+  pull_request:
+    paths:
+      - "**.rb"
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/owasp-top-ten

tests/fixtures/ruby/sinatra/project/.pipelinit.toml

@@ -0,0 +1 @@
+platforms = ["github"]

tests/fixtures/ruby/sinatra/project/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+gem 'sinatra', :github => 'sinatra/sinatra'
+
+# other dependencies
+gem 'haml'                    # for instance, if you use haml

tests/fixtures/ruby/sinatra/project/main.rb

@@ -0,0 +1,6 @@
+# myapp.rb
+require 'sinatra'
+
+get '/' do
+  'Hello world!'
+end