90 lines
2.6 KiB
Bash
Executable File
90 lines
2.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# Fuehrt Semgrep Security Scan durch
|
|
|
|
set -e
|
|
|
|
# Farben fuer Output
|
|
RED='\033[0;31m'
|
|
YELLOW='\033[1;33m'
|
|
GREEN='\033[0;32m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Pruefen ob Semgrep installiert ist
|
|
if ! command -v semgrep &> /dev/null; then
|
|
echo -e "${YELLOW}Semgrep nicht gefunden. Installiere...${NC}"
|
|
bash "$(dirname "$0")/install-semgrep.sh"
|
|
fi
|
|
|
|
# Argumente: spezifische Dateien oder alles scannen
|
|
if [ $# -gt 0 ]; then
|
|
SCAN_TARGET="$@"
|
|
echo "Scanne spezifische Dateien: $SCAN_TARGET"
|
|
else
|
|
SCAN_TARGET="."
|
|
echo "Scanne gesamtes Projekt..."
|
|
fi
|
|
|
|
# Temporaere Datei fuer JSON Output
|
|
RESULT_FILE=$(mktemp)
|
|
|
|
# Scan durchfuehren
|
|
echo ""
|
|
echo "Starte Security Scan..."
|
|
echo "========================"
|
|
|
|
semgrep \
|
|
--config=auto \
|
|
--config=p/security-audit \
|
|
--config=p/typescript \
|
|
--json \
|
|
--output="$RESULT_FILE" \
|
|
$SCAN_TARGET 2>/dev/null || true
|
|
|
|
# Ergebnisse parsen
|
|
if [ -f "$RESULT_FILE" ]; then
|
|
# Anzahl der Findings zaehlen
|
|
TOTAL=$(jq '.results | length' "$RESULT_FILE" 2>/dev/null || echo "0")
|
|
ERRORS=$(jq '[.results[] | select(.extra.severity == "ERROR")] | length' "$RESULT_FILE" 2>/dev/null || echo "0")
|
|
WARNINGS=$(jq '[.results[] | select(.extra.severity == "WARNING")] | length' "$RESULT_FILE" 2>/dev/null || echo "0")
|
|
INFO=$(jq '[.results[] | select(.extra.severity == "INFO")] | length' "$RESULT_FILE" 2>/dev/null || echo "0")
|
|
|
|
echo ""
|
|
echo "========================"
|
|
echo "Scan Ergebnisse"
|
|
echo "========================"
|
|
echo ""
|
|
|
|
if [ "$TOTAL" -eq 0 ]; then
|
|
echo -e "${GREEN}Keine Sicherheitsprobleme gefunden!${NC}"
|
|
else
|
|
echo -e "Gefunden: ${RED}$ERRORS Critical/High${NC}, ${YELLOW}$WARNINGS Medium${NC}, $INFO Low"
|
|
echo ""
|
|
|
|
# Details ausgeben
|
|
echo "Details:"
|
|
echo "--------"
|
|
jq -r '.results[] | "[\(.extra.severity)] \(.check_id)\n File: \(.path):\(.start.line)\n Message: \(.extra.message)\n"' "$RESULT_FILE" 2>/dev/null || true
|
|
fi
|
|
|
|
# Score berechnen
|
|
SCORE=$((100 - (ERRORS * 10) - (WARNINGS * 3) - (INFO * 1)))
|
|
if [ $SCORE -lt 0 ]; then SCORE=0; fi
|
|
|
|
echo ""
|
|
echo "========================"
|
|
echo -e "Security Score: ${GREEN}$SCORE/100${NC}"
|
|
echo "========================"
|
|
|
|
# Cleanup
|
|
rm -f "$RESULT_FILE"
|
|
|
|
# Exit mit Fehler wenn kritische Issues
|
|
if [ "$ERRORS" -gt 0 ]; then
|
|
echo ""
|
|
echo -e "${RED}WARNUNG: Es wurden kritische Sicherheitsprobleme gefunden!${NC}"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo -e "${GREEN}Scan abgeschlossen - keine Ergebnisdatei erstellt${NC}"
|
|
fi
|