Static Code Analysis using Semgrep App

Renjith Ravindranathan — Thu, 20 Oct 2022 10:14:00 +0000

In this short article, we will explore the static code analysis capability of Semgrep. Semgrep is a fast, open-source, static analysis tool that supports most modern languages. It works on a set of rules and rules are customizable as well according to your requirements. The tool is available in the CLI (OSS) version as well as in the SaaS version(Semgrep App). Also, it is very flexible to integrate with your CI pipelines. Let's look at integrating Semgrep with GitLab.

Pre-requisites
Gitlab account
Semgrep App Account

Let's build
Semgrep works in such a way that the whole code analysis is done in the agents aka build machines and no sensitive data is being sent to the cloud. The only requirement is to generate an API TOKEN from Semgrep App and pass it to your GitLab pipelines, so they can talk with each other.

You can create an API token from this link

Once you have the token generated, the next step is to add the API TOKEN to the GitLab Variables — SEMGREP_APP_TOKEN in your project

Let's look at the GitLab pipelines. The pipeline has been just to do the static code analysis for illustration purposes.

stages:
  - build

# Semgrep static code analysis
semgrep:
  stage: build
  # A Docker image with Semgrep installed.
  image: returntocorp/semgrep
  # Run the "semgrep ci" command on the command line of the docker image.
  script: semgrep ci

  rules:
  # Scan changed files in MRs, (diff-aware scanning):
  - if: $CI_MERGE_REQUEST_IID

  # Scan mainline (default) branches and report all findings.
  - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

  variables:
    # Connect to Semgrep App through your SEMGREP_APP_TOKEN.
    # Generate a token from Semgrep App > Settings
    # and add it as a variable in your GitLab CI/CD project settings.
    SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN

Result
For scanning, I am utilizing an old repository hosted here that consists of Python scripts, Dockerfiles, and Kubernetes Manifests. The outcome is quite nice, as Semgrep was able to catch a few common mistakes in the development. The dashboard shows an overall summary of the findings.

Let's zoom in on one of the findings run-as-non-root . Typically this message is raised when you have allowed your container to be run as root or in order words you have not specified the user by which the container is executed.

There is a rule editor which shows the pre-defined rules, against which your code is compared. You may go around it to see, how it evaluates the condition.

Conclusion
Semgrep is a good tool to integrate with and it can be integrated with major CI/CD engines like GitLab, GitHub Actions, Azure DevOps, Jenkins, CircleCI, Bitbucket Pipelines, etc. It is worth checking out if it suits your organization's requirements. That’s all for now. Hope you find the article useful and feedbacks are always welcome. Cheers.

References
GitLab Repo
Semgrep Docs

In case of any queries, please feel to connect me via the below links

LinkedIn
Twitter
Medium

Essential plugins for Kubectl CLI

Renjith Ravindranathan — Thu, 20 Oct 2022 06:57:17 +0000

This is a short article about handy plugins that can be used along with kubectl CLI , which helps you to can reduce a few of your operational tasks from an admin perspective. Basically, we can extend the capabilities kubectl with the power of plugins, like checking the deprecations of components in the cluster or SSHing to the nodes.

We can install plugins using a plugin manager called krew and there are quite a few available on the website listed here as well. Let's look at how we can get started with plugins :)

Setup
The plugins are added using krew and the primary requirement is to install krew them in the system. You can use the below code snippet in Mac/Linux to install it

(
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
)

Once you have krew it in the system, now it is time to install the additional plugins.

Plugins
There are many plugins available in the OSS GitHub repos, but below are some of my personal favorites.

1. Kubepug
KubePug/Deprecations is intended to be a kubectl plugin, which:

Downloads a swagger.json from a specific Kubernetes version
Parses this Json finding deprecation notices
Verifies the current kubernetes cluster or input files checking whether exists objects in this deprecated API Versions, allowing the user to check before migrating

kubectl krew install deprecations
#Usage
kubepug --k8s-version=v1.18.6 # Will verify the current context against v1.18.6 swagger.json

2. net-forward

Simple plugin that lest you create a local port listener on your personal machine that redirects to an arbitrary TCP service that the Cluster can see. This is similar to kubectl port-forward without the restriction that forwarding can only use Pods or Services as destinations.

kubectl krew install net-forward

#Usage
kubectl net-forward -i 169.254.169.254 -p 3389 -l 3389
I personally use this a lot to debug issues related to environment specific inside the Windows/Linux nodes.

Please feel to try out the plugins on the krew website also, as there are other plugins that could be beneficial to your work.
Hope this info was helpful and thanks for reading the article.!

References
Kubepug
net-forward
Krew

In case of any queries, please feel to connect me via the below links

LinkedIn
Twitter
Medium

DEV Community: Renjith Ravindranathan

Static Code Analysis using Semgrep App

Essential plugins for Kubectl CLI