ci: add semgrep check (#477)

venikkin · web-flow · commit 2c5e720505f7 · 2026-01-13T10:57:39.000Z
diff --git a/.teamcity/builds/Build.kt b/.teamcity/builds/Build.kt
@@ -38,6 +38,8 @@ class Build(
             if (forPullRequests) dependentBuildType(PRCheck("${name}-pr-check", "pr check"))
 
             parallel {
+              dependentBuildType(SemgrepCheck("${name}-semgrep-check", "semgrep check"))
+
               JavaPlatform.entries.forEach { java ->
                 val packaging =
                     Maven(
diff --git a/.teamcity/builds/Common.kt b/.teamcity/builds/Common.kt
@@ -33,6 +33,11 @@ val MAVEN_DEFAULT_ARGS = buildString {
 }
 const val DEFAULT_BRANCH = "main"
 
+const val FULL_GITHUB_REPOSITORY = "$GITHUB_OWNER/$GITHUB_REPOSITORY"
+const val GITHUB_URL = "https://github.com/$FULL_GITHUB_REPOSITORY"
+
+const val SEMGREP_DOCKER_IMAGE = "semgrep/semgrep:1.146.0"
+
 val DEFAULT_JAVA_VERSION = JavaVersion.V_11
 const val DEFAULT_CONFLUENT_PLATFORM_VERSION = "7.2.9"
 
diff --git a/.teamcity/builds/Maven.kt b/.teamcity/builds/Maven.kt
@@ -3,7 +3,7 @@ package builds
 import jetbrains.buildServer.configs.kotlin.BuildType
 import jetbrains.buildServer.configs.kotlin.toId
 
-class Maven(
+open class Maven(
     id: String,
     name: String,
     goals: String,
diff --git a/.teamcity/builds/SemgrepCheck.kt b/.teamcity/builds/SemgrepCheck.kt
@@ -0,0 +1,35 @@
+package builds
+
+import jetbrains.buildServer.configs.kotlin.buildSteps.ScriptBuildStep
+
+class SemgrepCheck(
+  id: String,
+  name: String
+): Maven(
+    id,
+    name,
+    "dependency:tree",
+    JavaVersion.V_17,
+    Neo4jVersion.V_NONE,
+    "-DoutputFile=maven_dep_tree.txt"
+) {
+
+  init {
+
+    params.password("env.SEMGREP_APP_TOKEN", "%semgrep-app-token%")
+    params.text("env.SEMGREP_REPO_NAME", FULL_GITHUB_REPOSITORY)
+    params.text("env.SEMGREP_REPO_URL", GITHUB_URL)
+    params.text("env.SEMGREP_BRANCH", "%teamcity.build.branch%")
+    params.text("env.SEMGREP_JOB_URL", "%env.BUILD_URL%")
+    params.text("env.SEMGREP_COMMIT", "%env.BUILD_VCS_NUMBER%")
+
+    steps.step(ScriptBuildStep {
+      scriptContent="semgrep ci --no-git-ignore"
+      dockerImagePlatform = ScriptBuildStep.ImagePlatform.Linux
+      dockerImage = SEMGREP_DOCKER_IMAGE
+      dockerRunParameters =
+          "--volume /var/run/docker.sock:/var/run/docker.sock --volume %teamcity.build.checkoutDir%/signingkeysandbox:/root/.gnupg"
+    })
+  }
+
+}
diff --git a/.teamcity/settings.kts b/.teamcity/settings.kts
@@ -14,6 +14,7 @@ project {
   params {
     password("github-commit-status-token", "%github-token%")
     password("github-pull-request-token", "%github-token%")
+    password("semgrep-app-token", "%semgrep-token%")
   }
 
   vcsRoot(Neo4jKafkaConnectorVcs)

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ project {`
`14`	`14`	`params {`
`15`	`15`	`password("github-commit-status-token", "%github-token%")`
`16`	`16`	`password("github-pull-request-token", "%github-token%")`
	`17`	`+ password("semgrep-app-token", "%semgrep-token%")`
`17`	`18`	`}`
`18`	`19`
`19`	`20`	`vcsRoot(Neo4jKafkaConnectorVcs)`