ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ebd29176d06d8aa81b774c986fd821d3a8f25219
agentguard-ci/docs/plans/phase2-step2-semgrep.md
T
Elizabeth W a9224a41c1 note to split into multiple files
2026-04-19 22:29:53 -06:00

1.0 KiB
Raw Blame History

Implementation Plan: Semgrep Scanner

Objective

Implement the Semgrep SAST (Static Application Security Testing) scanning step as a parallel task in the DAG.

Requirements

  • Define a task template named scan-semgrep.
  • Depend on the clone-repo task.
  • Mount the shared PVC at /workspace.
  • Run Semgrep with standard or configurable rulesets against the /workspace directory.
  • Output findings in SARIF format.
  • Save the output to /workspace/reports/semgrep.sarif.
  • Ensure the task exits successfully even if vulnerabilities are found, so Phase 3 aggregation can run (e.g., wrap in a script that returns 0).

Agent Instructions

  1. Add the scan-semgrep template to the ClusterWorkflowTemplate.
  2. Wire it into the DAG alongside the other scanners.
  3. CRITICAL: File Splitting: Do NOT put everything into one giant file! Split your YAML manifests or configurations into separate, smaller files (e.g. using separate Helm template files, configmaps, or helper scripts) to prevent exhausting the context window.
Reference in New Issue View Git Blame Copy Permalink