chore: remove Semgrep from quality analysis pipeline
This commit is contained in:
Serreau Jovann
18
Makefile
18
Makefile
@@ -139,7 +139,7 @@ maintenance_off: ## Desactive le mode maintenance
|
||||
|
||||
|
||||
## —— Qualite ──────────────────────────────────────
|
||||
qa: lint phpstan cs_check semgrep ## Lance tous les checks qualite (lint + analyse + sécurité)
|
||||
qa: lint phpstan cs_check ## Lance tous les checks qualite (lint + analyse + sécurité)
|
||||
|
||||
qa_full: qa test_coverage infection phpmetrics ## Lance la suite complète (qa + tests coverage + mutation + metrics)
|
||||
|
||||
@@ -177,20 +177,6 @@ stylelint: ## Lance Stylelint sur les fichiers SCSS
|
||||
stylelint_fix: ## Corrige automatiquement les erreurs Stylelint
|
||||
docker compose -f docker-compose-dev.yml exec bun bunx stylelint "assets/**/*.scss" --fix
|
||||
|
||||
semgrep: ## Lance Semgrep SAST sur src/
|
||||
docker compose -f docker-compose-dev.yml exec php sh -c 'pip install semgrep --break-system-packages -q && semgrep scan --config=auto src/'
|
||||
|
||||
semgrep_report:
|
||||
mkdir -p var/reports
|
||||
# 1. On garde ton scan Docker (il marche très bien)
|
||||
docker run --rm \
|
||||
--user $(shell id -u):$(shell id -g) \
|
||||
-v "$(PWD):/src" \
|
||||
returntocorp/semgrep \
|
||||
semgrep scan --config=auto --json -o var/reports/semgrep-raw.json src/ || true
|
||||
|
||||
# 2. Conversion JQ pour le format SonarQube Generic Issue (avec la section rules pour éviter le warning de dépréciation)
|
||||
cat var/reports/semgrep-raw.json | jq '{rules: [.results[] | {id: .check_id, name: .check_id, engineId: "semgrep", description: .check_id, type: "VULNERABILITY"}] | unique_by(.id), issues: [.results[] | {engineId: "semgrep", ruleId: .check_id, severity: (if .extra.severity == "ERROR" then "CRITICAL" else "MAJOR" end), type: "VULNERABILITY", primaryLocation: {message: .extra.message, filePath: .path, textRange: {startLine: .start.line}}}]}' > var/reports/semgrep-report.json
|
||||
test_coverage: ## Lance les tests PHP avec couverture (clover + HTML + JUnit)
|
||||
docker compose -f docker-compose-dev.yml exec php sh -c 'mkdir -p var/reports && php bin/phpunit --testdox --log-junit var/reports/phpunit.xml --coverage-clover var/reports/coverage.xml --coverage-html var/reports/coverage-html --coverage-text'
|
||||
|
||||
@@ -219,7 +205,7 @@ hadolint_report: ## Lance Hadolint sur le Dockerfile prod et genere le rapport J
|
||||
audit: ## Lance l'audit de securite Composer
|
||||
docker compose -f docker-compose-dev.yml exec php composer audit
|
||||
|
||||
reports: phpstan_report eslint_report semgrep_report test_coverage hadolint_report phpmetrics ## Genere tous les rapports pour SonarQube
|
||||
reports: phpstan_report eslint_report test_coverage hadolint_report phpmetrics ## Genere tous les rapports pour SonarQube
|
||||
|
||||
## —— SonarQube ————————————————————————————————————
|
||||
sonar: reports ## Genere les rapports puis lance le scan SonarQube
|
||||
|
||||
@@ -22,5 +22,4 @@ sonar.cpd.exclusions=migrations/**
|
||||
# ─── Rapports externes ────────────────────────────
|
||||
sonar.php.phpstan.reportPaths=var/reports/phpstan-report.json
|
||||
sonar.javascript.eslint.reportPaths=var/reports/eslint-report.json
|
||||
sonar.externalIssuesReportPaths=var/reports/semgrep-report.json
|
||||
sonar.docker.hadolint.reportPaths=var/reports/hadolint-raw.json
|
||||
|
||||
Reference in New Issue
Block a user