Contents for semgrep-precommit

Author: navhits

poetry.lock

@@ -0,0 +1,18 @@
+[tool.poetry]
+name = "semgrep-precommit"
+version = "0.1.0"
+description = "Pre-commit hook for Semgrep with diff awareness"
+authors = ["Naveen S <dev@navs.page>"]
+readme = "README.md"
+packages = [{include = "semgrep_precommit"}]
+
+[tool.poetry.dependencies]
+python = "^3.10"
+semgrep = "*"
+
+[tool.poetry.scripts]
+semgrep-precommit = "semgrep_precommit.main:main"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

pyproject.toml

@@ -0,0 +1 @@
+__version__ = "0.1.0"

semgrep_precommit/__init__.py

@@ -0,0 +1,4 @@
+from semgrep_precommit.main import main
+
+if __name__ == "__main__":
+    raise main()

semgrep_precommit/__main__.py

@@ -0,0 +1,40 @@
+import os
+import subprocess
+import sys
+
+from semgrep_precommit.utils import *
+
+def run_semgrep(arguments: list[str]) -> int:
+    """run_semgrep runs semgrep with the given arguments.
+
+    Args:
+        arguments (list[str]): A list of arguments to pass to semgrep.
+
+    Returns:
+        int: The exit code of the semgrep command.
+    """
+    command = ["semgrep", "scan"]
+    command += arguments
+    proc = subprocess.run(command)
+    return proc.returncode
+
+def main() -> None:
+    """main is the entrypoint for the pre-commit hook.
+    """
+    arguments = list(sys.argv[1:])
+    for argument in list(arguments):
+        if is_file(argument):
+            arguments.remove(argument)
+
+    current_commit, commit_before_current = None, None
+    is_commit = commit_staged_files()
+    if is_commit:
+        current_commit, commit_before_current = get_last_two_commit_ids()
+        os.environ["SEMGREP_BASELINE_REF"] = commit_before_current
+    exit_code = run_semgrep(arguments)
+    if is_commit:
+        soft_reset_to_commit(commit_before_current)
+    sys.exit(exit_code)
+
+if __name__ == "__main__":
+    raise main()

semgrep_precommit/main.py

@@ -0,0 +1,68 @@
+import os
+import subprocess
+import typing
+
+
+def is_file(filename: str) -> bool:
+    """is_file checks if a given value is valid a file.
+
+    Args:
+        filename (str): The filename to check.
+
+    Returns:
+        bool: True if the file exists, False otherwise.
+    """
+    if os.path.isfile(filename):
+        return True
+    return False
+
+def commit_staged_files(message: str = "Dummy commit by semgrep pre-commit hook") -> bool:
+    """commit_staged_files commits all staged files with a given message.
+
+    Args:
+        message (str, optional): A commit message. 
+        Defaults to "Dummy commit by semgrep pre-commit hook".
+
+    Returns:
+        bool: True if the commit was successful, False otherwise.
+    """
+    try:
+        # We use -n to avoid running the pre-commit hook again
+        subprocess.run(["git", "commit", "-n", "-m", message], stdout=subprocess.DEVNULL)
+    except Exception:
+        return False
+    else:
+        return True
+
+def get_last_two_commit_ids() -> typing.Tuple[str | None, str | None]:
+    """get_last_two_commit_ids returns the last two commit IDs of the current branch
+
+    Returns:
+        typing.Tuple[str | None, str | None]: The last two commit IDs
+    """
+    commit_ids = None, None
+    try:
+        proc = subprocess.run(["git", "log", "--pretty=format:%H", "-n", "2"], 
+                              capture_output=True)
+        if proc.returncode == 0:
+            commit_ids = proc.stdout.decode("utf-8").strip("\n").split("\n")
+    except Exception:
+        return None, None
+    else:
+        return tuple(commit_ids)
+
+def soft_reset_to_commit(commit_id: str) -> bool:
+    """git_soft_reset_to_commit performs a soft reset to the previous commit
+
+    Args:
+        commit_id (str): The commit ID to reset to
+
+    Returns:
+        bool: True if the soft reset was successful, False otherwise
+    """
+    try:
+        subprocess.run(["git", "reset", "--soft", commit_id], stdout=subprocess.DEVNULL)
+    except Exception:
+        return False
+    else:
+        return True