chore(security): expand Semgrep coverage to include frontend and secrets scanning

2026-03-13 19:58:08 +00:00
parent bad97102e1
commit 48af524313
2 changed files with 17 additions and 11 deletions
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -104,13 +104,9 @@ pre-commit:
      glob: "frontend/**/*.{ts,tsx,js,jsx}"
      run: cd frontend && npm run lint

-
-# ============================================================
-# PRE-PUSH  (blocking, runs on push)
-# ============================================================
-pre-push:
-  commands:
    semgrep:
+      glob: "**/*.{go,ts,tsx,js,jsx,sh,yml,yaml}"
+      exclude: 'frontend/(coverage|dist|node_modules|\.vite)/'
      run: scripts/pre-commit-hooks/semgrep-scan.sh


--- a/scripts/pre-commit-hooks/semgrep-scan.sh
+++ b/scripts/pre-commit-hooks/semgrep-scan.sh
@@ -15,13 +15,23 @@ fi

 cd "${REPO_ROOT}"

-# Default to p/golang for speed (~30s vs 60-180s for auto).
-# Override with: SEMGREP_CONFIG=auto git push
-readonly SEMGREP_CONFIG_VALUE="${SEMGREP_CONFIG:-p/golang}"
+# Default: full security ruleset covering Go backend, JS/TS/React frontend, secrets.
+# Override with: SEMGREP_CONFIG=auto git commit (runs all Semgrep rules, ~3-5 min)
+if [ -n "${SEMGREP_CONFIG:-}" ]; then
+  SEMGREP_CONFIGS=(--config "${SEMGREP_CONFIG}")
+  echo "Running Semgrep with override config: ${SEMGREP_CONFIG}"
+else
+  SEMGREP_CONFIGS=(
+    --config p/golang
+    --config p/javascript
+    --config p/react
+    --config p/secrets
+  )
+  echo "Running Semgrep with configs: p/golang, p/javascript, p/react, p/secrets"
+fi

-echo "Running Semgrep with config: ${SEMGREP_CONFIG_VALUE}"
 semgrep scan \
-  --config "${SEMGREP_CONFIG_VALUE}" \
+  "${SEMGREP_CONFIGS[@]}" \
  --severity ERROR \
  --severity WARNING \
  --error \