CI: Setup semgrep (#2729)

* Add semgrep to CI

* Add ignore file

* Flag only new semgrep findings

* Update config.yml
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

.circleci/config.yml

@@ -498,9 +498,39 @@ jobs:
           name: run itests
           command: make test-integration
 
+  semgrep-scan:
+    parameters:
+        diff_branch:
+          type: string
+          default: develop
+    environment:
+      # Scan changed files in PRs, block on new issues only (existing issues ignored)
+      SEMGREP_BASELINE_REF: << parameters.diff_branch >>
+      SEMGREP_REPO_URL: << pipeline.project.git_url >>
+      SEMGREP_BRANCH: << pipeline.git.branch >>
+
+      # Change job timeout (default is 1800 seconds; set to 0 to disable)
+      SEMGREP_TIMEOUT: 3000
+
+    docker:
+      - image: returntocorp/semgrep
+    steps:
+      - checkout
+      - run:
+          name: "Set environment variables" # for PR comments and in-app hyperlinks to findings
+          command: |
+              echo 'export SEMGREP_COMMIT=$CIRCLE_SHA1' >> $BASH_ENV
+              echo 'export SEMGREP_PR_ID=${CIRCLE_PULL_REQUEST##*/}' >> $BASH_ENV
+              echo 'export SEMGREP_JOB_URL=$CIRCLE_BUILD_URL' >> $BASH_ENV
+              echo 'export SEMGREP_REPO_NAME=$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME' >> $BASH_ENV
+      - run:
+          name: "Semgrep scan"
+          command: semgrep ci
+
 workflows:
   main:
     jobs:
+      - semgrep-scan
       - yarn-monorepo
       - bedrock-go-tests
       - bedrock-markdown

.semgrepignore

+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+
+# Common test paths
+test/
+tests/
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/
+
+l2geth/
+packages/*/node_modules
+packages/*/test
\ No newline at end of file