semgrep

Author: carl-adams-planet

.github/workflows/test.yml

@@ -8,7 +8,7 @@ env:
   PYTHON_VERSION: "3.13"
 
 jobs:
-  lint_black_formatting:
+  black_formatting:
     name: Black Format Linting
     runs-on: ubuntu-latest
     steps:
@@ -39,6 +39,20 @@ jobs:
         run: |
           nox -s pytest-${{ matrix.python-version }}
 
+  semgrep_src:
+    name: Semgrep security scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Prepare common Python build environment
+        uses: ./.github/actions/python-common-setup
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+      - name: 'Nox: Semgrep - src'
+        run: |
+          nox -s semgrep_src
+
   mypy_all:
     name: MyPy - All
     runs-on: ubuntu-latest

.gitignore

@@ -11,6 +11,7 @@ mypy.xml
 pip-wheel-metadata
 pytest.xml
 pytest-*.xml
+semgrep-*.xml
 site
 *.venv
 venv*

noxfile.py

@@ -20,6 +20,13 @@ def pytest(session):
     session.run("pytest", "-v", *options)
 
 
+@nox.session(python=_DEFAULT_PYTHON)
+def semgrep_src(session):
+    session.install("-e", ".[tests]")
+    # session.run("semgrep", "scan", "--strict", "--verbose", "--junit-xml", "--junit-xml-output=semgrep-src.xml", "src")
+    session.run("semgrep", "scan", "--strict", "--verbose", "src")
+
+
 @nox.session(name="black-lint", python=_DEFAULT_PYTHON)
 def black_lint(session):
     session.install("-e", ".[tests]")

pyproject.toml

@@ -63,6 +63,7 @@ tests = [
     "pytest",
     "pytest-cov",
     "pytest-xdist",
+    "semgrep",
     "validators",
 ]
 internal = [