sequant 1.11.0 → 1.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +93 -7
- package/dist/bin/cli.js +12 -9
- package/dist/src/commands/doctor.js +25 -20
- package/dist/src/commands/init.js +152 -65
- package/dist/src/commands/logs.js +7 -6
- package/dist/src/commands/run.d.ts +13 -1
- package/dist/src/commands/run.js +75 -12
- package/dist/src/commands/stats.js +67 -48
- package/dist/src/commands/status.js +30 -12
- package/dist/src/index.d.ts +6 -0
- package/dist/src/index.js +4 -0
- package/dist/src/lib/ac-linter.d.ts +116 -0
- package/dist/src/lib/ac-linter.js +304 -0
- package/dist/src/lib/cli-ui.d.ts +196 -0
- package/dist/src/lib/cli-ui.js +544 -0
- package/dist/src/lib/content-analyzer.d.ts +89 -0
- package/dist/src/lib/content-analyzer.js +437 -0
- package/dist/src/lib/phase-signal.d.ts +94 -0
- package/dist/src/lib/phase-signal.js +171 -0
- package/dist/src/lib/plugin-version-sync.d.ts +26 -0
- package/dist/src/lib/plugin-version-sync.js +91 -0
- package/dist/src/lib/project-name.d.ts +40 -0
- package/dist/src/lib/project-name.js +191 -0
- package/dist/src/lib/semgrep.d.ts +136 -0
- package/dist/src/lib/semgrep.js +406 -0
- package/dist/src/lib/solve-comment-parser.d.ts +84 -0
- package/dist/src/lib/solve-comment-parser.js +200 -0
- package/dist/src/lib/stack-config.d.ts +51 -0
- package/dist/src/lib/stack-config.js +77 -0
- package/dist/src/lib/stacks.d.ts +66 -0
- package/dist/src/lib/stacks.js +332 -0
- package/dist/src/lib/templates.d.ts +2 -0
- package/dist/src/lib/templates.js +12 -3
- package/dist/src/lib/upstream/assessment.d.ts +70 -0
- package/dist/src/lib/upstream/assessment.js +385 -0
- package/dist/src/lib/upstream/index.d.ts +11 -0
- package/dist/src/lib/upstream/index.js +14 -0
- package/dist/src/lib/upstream/issues.d.ts +38 -0
- package/dist/src/lib/upstream/issues.js +267 -0
- package/dist/src/lib/upstream/relevance.d.ts +50 -0
- package/dist/src/lib/upstream/relevance.js +209 -0
- package/dist/src/lib/upstream/report.d.ts +29 -0
- package/dist/src/lib/upstream/report.js +391 -0
- package/dist/src/lib/upstream/types.d.ts +207 -0
- package/dist/src/lib/upstream/types.js +5 -0
- package/dist/src/lib/workflow/log-writer.d.ts +1 -1
- package/dist/src/lib/workflow/metrics-schema.d.ts +3 -3
- package/dist/src/lib/workflow/qa-cache.d.ts +199 -0
- package/dist/src/lib/workflow/qa-cache.js +440 -0
- package/dist/src/lib/workflow/run-log-schema.d.ts +34 -6
- package/dist/src/lib/workflow/run-log-schema.js +12 -1
- package/dist/src/lib/workflow/state-schema.d.ts +4 -4
- package/dist/src/lib/workflow/types.d.ts +4 -0
- package/package.json +6 -1
- package/templates/hooks/pre-tool.sh +6 -0
- package/templates/memory/constitution.md +1 -5
- package/templates/skills/_shared/references/prompt-templates.md +350 -0
- package/templates/skills/_shared/references/subagent-types.md +131 -0
- package/templates/skills/exec/SKILL.md +82 -0
- package/templates/skills/fullsolve/SKILL.md +19 -2
- package/templates/skills/loop/SKILL.md +3 -1
- package/templates/skills/qa/SKILL.md +79 -9
- package/templates/skills/qa/references/quality-gates.md +85 -1
- package/templates/skills/qa/references/semgrep-rules.md +207 -0
- package/templates/skills/qa/scripts/quality-checks.sh +525 -15
- package/templates/skills/spec/SKILL.md +322 -9
|
@@ -0,0 +1,207 @@
|
|
|
1
|
+
# Semgrep Integration Guide
|
|
2
|
+
|
|
3
|
+
This guide explains how to configure and use Semgrep static analysis in the `/qa` workflow.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
Semgrep is a fast, open-source static analysis tool that finds bugs and enforces code standards. The `/qa` skill integrates Semgrep to automatically scan code changes for security vulnerabilities and anti-patterns.
|
|
8
|
+
|
|
9
|
+
## Installation
|
|
10
|
+
|
|
11
|
+
Semgrep is **optional**. If not installed, the `/qa` skill will gracefully skip Semgrep analysis.
|
|
12
|
+
|
|
13
|
+
### Install Semgrep
|
|
14
|
+
|
|
15
|
+
```bash
|
|
16
|
+
# Using pip (recommended)
|
|
17
|
+
pip install semgrep
|
|
18
|
+
|
|
19
|
+
# Using Homebrew (macOS)
|
|
20
|
+
brew install semgrep
|
|
21
|
+
|
|
22
|
+
# Using npm (via npx - no install required)
|
|
23
|
+
npx semgrep --version
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### Verify Installation
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
semgrep --version
|
|
30
|
+
# Or
|
|
31
|
+
npx semgrep --version
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
## How It Works
|
|
35
|
+
|
|
36
|
+
1. During `/qa`, the quality checks script detects if Semgrep is installed
|
|
37
|
+
2. If installed, it runs Semgrep with stack-appropriate rulesets
|
|
38
|
+
3. Findings are categorized by severity (critical, warning, info)
|
|
39
|
+
4. Critical findings block the merge verdict (`AC_NOT_MET`)
|
|
40
|
+
5. Warnings are noted but don't block merges
|
|
41
|
+
|
|
42
|
+
## Default Rulesets
|
|
43
|
+
|
|
44
|
+
Semgrep uses stack-specific rulesets for targeted analysis:
|
|
45
|
+
|
|
46
|
+
| Stack | Rulesets Applied |
|
|
47
|
+
|-------|------------------|
|
|
48
|
+
| **Next.js** | p/typescript, p/javascript, p/react, p/security-audit, p/secrets |
|
|
49
|
+
| **Astro** | p/typescript, p/javascript, p/security-audit, p/secrets |
|
|
50
|
+
| **SvelteKit** | p/typescript, p/javascript, p/security-audit, p/secrets |
|
|
51
|
+
| **Remix** | p/typescript, p/javascript, p/react, p/security-audit, p/secrets |
|
|
52
|
+
| **Nuxt** | p/typescript, p/javascript, p/security-audit, p/secrets |
|
|
53
|
+
| **Python** | p/python, p/django, p/flask, p/security-audit, p/secrets |
|
|
54
|
+
| **Go** | p/golang, p/security-audit, p/secrets |
|
|
55
|
+
| **Rust** | p/rust, p/security-audit, p/secrets |
|
|
56
|
+
| **Generic** | p/security-audit, p/secrets |
|
|
57
|
+
|
|
58
|
+
## Custom Rules
|
|
59
|
+
|
|
60
|
+
You can add project-specific rules by creating `.sequant/semgrep-rules.yaml` in your project root.
|
|
61
|
+
|
|
62
|
+
### Getting Started
|
|
63
|
+
|
|
64
|
+
Copy the example template to your project:
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
# Copy the example template
|
|
68
|
+
cp docs/examples/semgrep-rules.example.yaml .sequant/semgrep-rules.yaml
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
### Custom Rules File Location
|
|
72
|
+
|
|
73
|
+
```
|
|
74
|
+
your-project/
|
|
75
|
+
├── .sequant/
|
|
76
|
+
│ └── semgrep-rules.yaml # Your custom rules
|
|
77
|
+
├── src/
|
|
78
|
+
└── package.json
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### Example Custom Rules
|
|
82
|
+
|
|
83
|
+
```yaml
|
|
84
|
+
rules:
|
|
85
|
+
# Prevent console.log in production code
|
|
86
|
+
- id: no-console-log
|
|
87
|
+
pattern: console.log(...)
|
|
88
|
+
message: "Remove console.log before merging"
|
|
89
|
+
severity: WARNING
|
|
90
|
+
languages: [typescript, javascript]
|
|
91
|
+
paths:
|
|
92
|
+
exclude:
|
|
93
|
+
- "**/*.test.*"
|
|
94
|
+
- "**/__tests__/**"
|
|
95
|
+
|
|
96
|
+
# Require explicit return types on exported functions
|
|
97
|
+
- id: explicit-return-type
|
|
98
|
+
pattern: |
|
|
99
|
+
export function $FUNC(...): $RET { ... }
|
|
100
|
+
pattern-not: |
|
|
101
|
+
export function $FUNC(...): void { ... }
|
|
102
|
+
message: "Exported functions should have explicit return types"
|
|
103
|
+
severity: INFO
|
|
104
|
+
languages: [typescript]
|
|
105
|
+
|
|
106
|
+
# Detect potential SQL injection
|
|
107
|
+
- id: sql-injection-risk
|
|
108
|
+
patterns:
|
|
109
|
+
- pattern: $DB.query($SQL + ...)
|
|
110
|
+
- pattern: $DB.query(`...${...}...`)
|
|
111
|
+
message: "Potential SQL injection - use parameterized queries"
|
|
112
|
+
severity: ERROR
|
|
113
|
+
languages: [typescript, javascript]
|
|
114
|
+
|
|
115
|
+
# Prevent hardcoded API keys
|
|
116
|
+
- id: no-hardcoded-api-key
|
|
117
|
+
pattern-regex: "(api[_-]?key|apikey|secret[_-]?key)\\s*[:=]\\s*['\"][^'\"]{8,}['\"]"
|
|
118
|
+
message: "Don't hardcode API keys - use environment variables"
|
|
119
|
+
severity: ERROR
|
|
120
|
+
languages: [typescript, javascript, python]
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
### Rule Severity Levels
|
|
124
|
+
|
|
125
|
+
| Severity | Verdict Impact | Description |
|
|
126
|
+
|----------|----------------|-------------|
|
|
127
|
+
| `ERROR` | **Blocking** | Critical issues that must be fixed |
|
|
128
|
+
| `WARNING` | Non-blocking | Issues that should be reviewed |
|
|
129
|
+
| `INFO` | Non-blocking | Style suggestions |
|
|
130
|
+
|
|
131
|
+
## Running Semgrep Manually
|
|
132
|
+
|
|
133
|
+
You can run Semgrep manually using the provided script:
|
|
134
|
+
|
|
135
|
+
```bash
|
|
136
|
+
# Scan entire project with auto-detected stack
|
|
137
|
+
npx tsx scripts/semgrep-scan.ts
|
|
138
|
+
|
|
139
|
+
# Scan only changed files (faster, recommended)
|
|
140
|
+
npx tsx scripts/semgrep-scan.ts --changed-only
|
|
141
|
+
|
|
142
|
+
# Scan specific directories
|
|
143
|
+
npx tsx scripts/semgrep-scan.ts src/api/ src/lib/
|
|
144
|
+
|
|
145
|
+
# Override detected stack
|
|
146
|
+
npx tsx scripts/semgrep-scan.ts --stack python
|
|
147
|
+
|
|
148
|
+
# Get JSON output
|
|
149
|
+
npx tsx scripts/semgrep-scan.ts --json > semgrep-results.json
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
## Interpreting Results
|
|
153
|
+
|
|
154
|
+
### Clean Output
|
|
155
|
+
|
|
156
|
+
```
|
|
157
|
+
## Static Analysis (Semgrep)
|
|
158
|
+
|
|
159
|
+
✅ No security issues found
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
### Issues Found
|
|
163
|
+
|
|
164
|
+
```
|
|
165
|
+
## Static Analysis (Semgrep)
|
|
166
|
+
|
|
167
|
+
❌ 1 critical finding(s)
|
|
168
|
+
⚠️ 2 warning(s)
|
|
169
|
+
|
|
170
|
+
### ❌ Critical Issues
|
|
171
|
+
|
|
172
|
+
- `src/api/users.ts:47` - Potential SQL injection (user input in query) (security.sql-injection)
|
|
173
|
+
|
|
174
|
+
### ⚠️ Warnings
|
|
175
|
+
|
|
176
|
+
- `src/utils/exec.ts:12` - Command injection risk (unsanitized shell arg) (security.command-injection)
|
|
177
|
+
- `src/lib/logger.ts:8` - Remove console.log before merging (custom.no-console-log)
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
## Troubleshooting
|
|
181
|
+
|
|
182
|
+
### Semgrep Not Running
|
|
183
|
+
|
|
184
|
+
1. Check if Semgrep is installed: `semgrep --version`
|
|
185
|
+
2. If not installed, install it or use `npx semgrep`
|
|
186
|
+
3. Check for error messages in the quality checks output
|
|
187
|
+
|
|
188
|
+
### False Positives
|
|
189
|
+
|
|
190
|
+
If a rule produces false positives:
|
|
191
|
+
|
|
192
|
+
1. Add a `# nosemgrep: rule-id` comment to ignore specific lines
|
|
193
|
+
2. Create custom rules that exclude specific patterns
|
|
194
|
+
3. Use path exclusions in your custom rules
|
|
195
|
+
|
|
196
|
+
### Performance
|
|
197
|
+
|
|
198
|
+
- Semgrep only scans changed files by default (via `--changed-only`)
|
|
199
|
+
- Large codebases may take longer on first scan
|
|
200
|
+
- Results are not cached between runs
|
|
201
|
+
|
|
202
|
+
## Resources
|
|
203
|
+
|
|
204
|
+
- [Semgrep Documentation](https://semgrep.dev/docs/)
|
|
205
|
+
- [Semgrep Rule Registry](https://semgrep.dev/r)
|
|
206
|
+
- [Writing Custom Rules](https://semgrep.dev/docs/writing-rules/overview/)
|
|
207
|
+
- [Rule Syntax Reference](https://semgrep.dev/docs/writing-rules/rule-syntax/)
|