You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 9, 2024. It is now read-only.
I mentioned this some time ago as a casual comment in slack, but surfacing here just to give a bit more exposure.
Since the v1 tag on semgrep-agent is continually bumped with new releases, that means that consumers of the v1 docker image are always at risk of having their CI build break due to a new release. My release engineering folks rather frown on that, which means I cannot make use of semgrep's failing a build iff there is a new problem in our code.
It would be nice to have the option to pin to an unchanging version of your docker image so I could eliminate the risk in my CI pipeline. Not saying you have to immobilize "v1" --I understand the desire to keep that at the head for your own needs--but perhaps have additional tags corresponding to the encapsulated semgrep (since I imagine that changes more frequently).
The text was updated successfully, but these errors were encountered:
Yeah, we'll need to address this very soon! Thanks for creating an issue for the discussion. We're still shipping backwards incompatible API changes to Semgrep Community sometimes and might need to hold out for a bit longer without worrying about deprecation policies, personally I'd guess a month or so.
and it would always use the same exact code. We don't advertise this option and wouldn't recommend this though cause failing due to API changes is likelier now, than due to a new semgrep-agent release.
I mentioned this some time ago as a casual comment in slack, but surfacing here just to give a bit more exposure.
Since the v1 tag on semgrep-agent is continually bumped with new releases, that means that consumers of the v1 docker image are always at risk of having their CI build break due to a new release. My release engineering folks rather frown on that, which means I cannot make use of semgrep's failing a build iff there is a new problem in our code.
It would be nice to have the option to pin to an unchanging version of your docker image so I could eliminate the risk in my CI pipeline. Not saying you have to immobilize "v1" --I understand the desire to keep that at the head for your own needs--but perhaps have additional tags corresponding to the encapsulated semgrep (since I imagine that changes more frequently).
The text was updated successfully, but these errors were encountered: