Proposal: Add semgrep-go checks into validation step #1551
Comments
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
dgryski did an impressive job putting together common Go issue patterns to semgrep rules. https://github.com/dgryski/semgrep-go Seems to be a good idea to include thos checks inside in the validation since there are quite a lot of errors / warnings which can be easily fixed.
|
Hey @benjaminch! Semgrep maintainer here. @dgryski's rules are also published to the Semgrep registry if you'd like to skip the semgrep --config http://semgrep.dev/r/dgryski.semgrep-goThis is the equivalent and lets you skip the Would love to hear your feedback! |
|
Hello @dlukeomalley ! Thanks a lot for your help here, really appreciate :) Let's see if I can make it happen ! Thanks ! |
|
Let me know if you run into any issues, the maintainer group loves supporting use cases like yours! 🙂 |
|
@benjaminch This looks very interesting. Thank you for taking the initiative. I discovered this recently as well thanks to Grayson Hardaway's GoLang NYC talk. We're currently in the middle of revitalizing our CI/CD pipeline using GitHub Actions. This looks like a nice addition. @mansinahar is working on adding a linter. I'm curious if you recommend this as a complimentary static analysis or a replacement to a traditional linter? @dlukeomalley Thank you very much for the support. I'm excited to increase our code safety checks and also at the prospect of codifying our project specific rules to make PR reviews quicker. One use case I have in mind is catching writes to shared memory. Go lacks any sort of way to express read / write access, which is perhaps the thing I miss the most from C#. I imagine a rule of this kind would require flow analysis, right? Or is there a way to write a semgrep rule which catches a write to a variable which hasn't been copied first. Ex: |
|
Hey @SyntaxNode !
I think it's a complimentary static analysis tool along the linter, it won't replace a linter IMO as it won't serve the same purpose. |
|
@SyntaxNode I agree with @benjaminch that this won't replace the linter as the linter checks more for style related rules vs this seems to check for potential bugs and such.
Looks like golangci-lint is one of the popular open-source linters for Go that supports a bunch of linters (one of them being go-critic which has a ruleguard integration as well) My question would be, are there any semgrep-go rules that aren't covered by the myriad of linters supported by golangci-lint? And if there are, how important they are to this project? If they are quite important then we can consider adding semgrep-go but as a starting point golangci-lint should be the most helpful IMHO. |
|
@dlukeomalley out of curiosity, do you consider integrating semgrep-go with golangci-lint in the future? |
|
My suggestion is to start by integrating tools with little to no false positives: go vet, staticcheck, ineffassign, and nilness. Most of the other liners catch nits that are either more style issues and just generate code churn. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
for reference, here's the output of running semgrep with the https://github.com/dgryski/semgrep-go ruleset: I would be interested in fixing them and also adding this to the CI checks, if possible and reasonable. |
Discovered recently this amazing semgrep-go rules collection put together by @dgryski here https://github.com/dgryski/semgrep-go allowing to avoid common issue patterns in Go.
The check shouldn't by blocking for the time being, but once all errors / warnings will be solved, maybe it should become blocking in case something is detected.
I will be pushing a PR to introduce this one in the workflow so we can discuss and let me know what you think about it.
Cheers ! :)
The text was updated successfully, but these errors were encountered: