Skip to main content

Generate lockfiles for Semgrep Supply Chain in a Circle CI pipeline

Semgrep Supply Chain needs your project's lockfiles as input to scan your codebase successfully. If the lockfiles that Supply Chain supports are not under source control in your project, you can generate the lockfile as part of the CI job.

In CircleCI, you can generate a lockfile during the first job and then pass it to the Semgrep scan using a workspace to share files between jobs.

The following config.yml file demonstrates how you can generate a lockfile and pass it to subsequent jobs using CircleCI workspaces. This example uses a maven_dep_tree.txt file, which typically needs to be generated from a pom.xml for Maven dependency tracking.

version: 2.1

jobs:
  lock_file_generation:
    docker:
      - image: cimg/openjdk:17.0
    steps:
      - checkout
      - run:
          name: lock file generation
          command: |
            mkdir -p workspace
            mvn dependency:tree -DoutputFile=workspace/maven_dep_tree.txt
            cat workspace/maven_dep_tree.txt
      - persist_to_workspace:
          root: workspace
          paths:
            - maven_dep_tree.txt

  scan:
    docker:
      - image: semgrep/semgrep
    steps:
      - checkout
      - attach_workspace: # This step attaches the workspace from the previous job
          at: /tmp/workspace
      - run:
         name: semgrep scan
         command: |
           cp /tmp/workspace/maven_dep_tree.txt .
           semgrep ci

workflows:
  version: 2
  build_and_scan:
    jobs:
      - lock_file_generation
      - scan:
          context:
            - semgrep
          requires:
            - build

The semgrep context is used here as the name for the context where you define the environment variables Semgrep needs, such as the SEMGREP_APP_TOKEN. This is similar to the sample configuration for CircleCI. You can choose to give the context a different name if you prefer.