chore(security): expand Semgrep coverage to include frontend and secrets scanning

2026-03-13 19:58:08 +00:00
parent bad97102e1
commit 48af524313
2 changed files with 17 additions and 11 deletions
--- a/scripts/pre-commit-hooks/semgrep-scan.sh
+++ b/scripts/pre-commit-hooks/semgrep-scan.sh
@@ -15,13 +15,23 @@ fi

 cd "${REPO_ROOT}"

-# Default to p/golang for speed (~30s vs 60-180s for auto).
-# Override with: SEMGREP_CONFIG=auto git push
-readonly SEMGREP_CONFIG_VALUE="${SEMGREP_CONFIG:-p/golang}"
+# Default: full security ruleset covering Go backend, JS/TS/React frontend, secrets.
+# Override with: SEMGREP_CONFIG=auto git commit (runs all Semgrep rules, ~3-5 min)
+if [ -n "${SEMGREP_CONFIG:-}" ]; then
+  SEMGREP_CONFIGS=(--config "${SEMGREP_CONFIG}")
+  echo "Running Semgrep with override config: ${SEMGREP_CONFIG}"
+else
+  SEMGREP_CONFIGS=(
+    --config p/golang
+    --config p/javascript
+    --config p/react
+    --config p/secrets
+  )
+  echo "Running Semgrep with configs: p/golang, p/javascript, p/react, p/secrets"
+fi

-echo "Running Semgrep with config: ${SEMGREP_CONFIG_VALUE}"
 semgrep scan \
-  --config "${SEMGREP_CONFIG_VALUE}" \
+  "${SEMGREP_CONFIGS[@]}" \
  --severity ERROR \
  --severity WARNING \
  --error \