CodeScan¶
You can continuously collect results analyzed with the open-source Semgrep .
What is Semgrep?
- A tool designed for static analysis of source code.
- It's particularly useful for detecting issues related to security, bugs, and code style violations.
Format¶
When importing data into RISKEN, the following metadata is added:
| Field | Description |
|---|---|
DataSource |
code:codescan (fixed) |
ResourceName |
Repository name |
Description |
Description |
Score |
Refer to Scoring |
Tag |
code repository codescan {Repository Name} |
Scoring¶
Scores are set based on the results analyzed by CodeScan as follows:
graph TD
A[Start] --> B{{Exists findings?}};
B -->|NO| C[Findings will not be registered]:::low;
B -->|YES| D{{What is finding severity?}};
D -->|ERROR| E[Score: 0.6]:::high;
D -->|WARNING| F[Score: 0.3]:::low;
D -->|INFO| G[Score: 0.1]:::low;
D -->|UNKNOWN| J[Score: 0.0]:::unknown;
classDef high fill:#FFFFFF,stroke:#C2185B,stroke-width:4px;
classDef mid fill:#FFFFFF,stroke:#F57C00,stroke-width:4px;
classDef low fill:#FFFFFF,stroke:#4DB6AC,stroke-width:4px;
classDef unknown fill:#FFFFFF,stroke:#BDBDBD,stroke-width:4px;
Detection Rules¶
Scans are conducted based on the contents of the Default Rules found in the Semgrep Registry. You can check the specific items that are inspected and the severity of each rule on the aforementioned Registry website.