feat(ci): add semgrep to ci-builder (#12376)

Adds semgrep to ci builder and adds justfile commands to install
semgrep like everything else.

justfile

 issues:
   ./ops/scripts/todo-checker.sh
 
-semgrep-scan-local:
-  semgrep scan --config=.semgrep
+# Runs semgrep on the entire monorepo.
+semgrep:
+  semgrep scan --config=.semgrep --error .
 
 lint-shellcheck:
   find . -type f -name '*.sh' -not -path '*/node_modules/*' -not -path './packages/contracts-bedrock/lib/*' -not -path './packages/contracts-bedrock/kout*/*' -exec sh -c 'echo \"Checking $1\"; shellcheck \"$1\"' _ {} \\;
@@ -45,3 +46,15 @@ check-slither:
 
 upgrade-slither:
   jq '.slither = $v' --arg v $(just print-slither) <<<$(cat versions.json) > versions.json
+
+install-semgrep:
+  pip3 install semgrep
+
+print-semgrep:
+  semgrep --version
+
+check-semgrep:
+  [ "$(just print-semgrep)" = "$(jq -r .semgrep < versions.json)" ] && echo '✓ semgrep versions match' || (echo '✗ semgrep version mismatch. Run `just upgrade-semgrep` to upgrade.' && exit 1)
+
+upgrade-semgrep:
+  jq '.semgrep = $v' --arg v $(just print-semgrep) <<<$(cat versions.json) > versions.json

ops/docker/ci-builder/Dockerfile

@@ -105,6 +105,7 @@ RUN /bin/sh -c set -eux; \
   apt-get install -y docker-ce-cli; \
   ln -s /usr/local/go/bin/gofmt /usr/local/bin/gofmt; \
   pip install capstone pyelftools; \
+  pip install semgrep==$(jq -r .semgrep < versions.json); \
   curl -fLSs https://raw.githubusercontent.com/CircleCI-Public/circleci-cli/master/install.sh | bash; \
   apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
   rm -rf /var/lib/apt/lists/*; \

versions.json

@@ -9,5 +9,6 @@
   "slither": "0.10.2",
   "kontrol": "0.1.316",
   "just": "1.34.0",
-  "binary_signer": "1.0.4"
+  "binary_signer": "1.0.4",
+  "semgrep": "1.90.0"
 }