cI: add semgrep rules for using test account IDs and zone IDs

cloudflare · Jun 29, 2022 · d0bf888 · d0bf888
1 parent 3458b4d
commit d0bf888
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 33 deletions.
diff --git a/.semgrep.yml b/.semgrep.yml
@@ -5,10 +5,10 @@ rules:
     message: Where a real IPv4 address isn't needed, use IPv4 addresses from RFC5737.
     paths:
       include:
-        - internal/provider/*_test.go
-        - docs/
-        - examples/
-        - templates/
+        - '*_test.go'
+        - 'docs/'
+        - 'examples/'
+        - 'templates/'
     patterns:
       - pattern-regex: '\d+\.\d+\.\d+\.\d+'
       - pattern-not-regex: '10\.\d+\.\d+.\d+'
@@ -23,10 +23,60 @@ rules:
     message: Where a real IPv6 address isn't needed, use IPv6 addresses from RFC3849.
     paths:
       include:
-        - internal/provider/*_test.go
-        - docs/
-        - examples/
-        - templates/
+        - '*_test.go'
+        - 'docs/'
+        - 'examples/'
+        - 'templates/'
     patterns:
       - pattern-regex: '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
     severity: WARNING
+  - id: use-test-zone-ids
+    languages:
+      - hcl
+    message: In examples and acceptance tests, we should only use the test zone ID ("0da42c8d2132a9ddaf714f9e7c920711" or `testZoneID` in tests).
+    paths:
+      include:
+        - '*_test.go'
+        - 'docs/'
+        - 'examples/'
+        - 'templates/'
+    patterns:
+      - pattern: zone_id = "..."
+      - pattern-not: zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
+      - pattern-either:
+        - pattern-inside: |
+            resource "..." "..." {
+              ...
+            }
+        - pattern-inside: |
+            data "..." "..." {
+              ...
+            }
+    severity: WARNING
+  - id: use-test-account-ids
+    languages:
+      - hcl
+    message: In examples and acceptance tests, we should only use the test account ID ("f037e56e89293a057740de681ac9abbe" or `testAccountID` in tests).
+    paths:
+      include:
+        - '*_test.go'
+        - 'docs/'
+        - 'examples/'
+        - 'templates/'
+    patterns:
+      - pattern: account_id = "..."
+      - pattern-not: account_id = "f037e56e89293a057740de681ac9abbe"
+      - pattern-either:
+        - pattern-inside: |
+            resource "..." "..." {
+              ...
+            }
+        - pattern-inside: |
+            data "..." "..." {
+              ...
+            }
+        - pattern-inside: |
+            provider "..." "..." {
+              ...
+            }
+    severity: WARNING
diff --git a/.semgrepignore b/.semgrepignore
@@ -10,30 +10,13 @@
 .git/
 :include .gitignore
 
-# Common large paths
-
-node_modules/
-build/
-dist/
-vendor/
-.env/
-.venv/
-.tox/
-\*.min.js
-
-# Common test paths
-
-test/
-tests/
-
-# \*\_test.go
-
-# \*\.md
-
-# Semgrep rules folder
-
 .semgrep
-
-# Semgrep-action log folder
-
 .semgrep_logs/
+
+.github/
+.vscode/
+.changelog/
+CHANGELOG.md
+go.mod
+go.sum
+README.md