Make semgrep helper script easier to use in different situations. Add missing id

Author: cdrubin

.semgrep/directory-entry-validation.yaml

@@ -0,0 +1,49 @@
+rules:
+  - id: directory-entry-wrong-extension
+    languages: [generic]
+    message: >-
+      Directory entry files must use the .yaml extension, not .yml.
+      Rename this file to use .yaml instead.
+      (add [skip style guide checks] to commit message to skip)
+    severity: MEDIUM
+    paths:
+      include:
+        - "/src/content/directory/*.yml"
+    patterns:
+      # Match the name field — every directory entry has one, so this fires
+      # once per .yml file to flag the wrong extension.
+      - pattern-regex: "^name: "
+
+  - id: directory-entry-missing-id
+    languages: [yaml]
+    message: >-
+      Directory entry is missing a required id field.
+      Run tools/directory-entry-ids to generate one automatically.
+      (add [skip style guide checks] to commit message to skip)
+    severity: MEDIUM
+    paths:
+      include:
+        - "/src/content/directory/*.yaml"
+        - "/src/content/directory/*.yml"
+    patterns:
+      - pattern: |
+          name: $NAME
+      - pattern-not-inside: |
+          id: ...
+          ...
+
+  - id: directory-entry-invalid-id
+    languages: [generic]
+    message: >-
+      Directory entry has an invalid id. The id must be exactly 6 characters
+      composed only of: abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRTUVWXY34679.
+      Run tools/directory-entry-ids to generate a valid id.
+      (add [skip style guide checks] to commit message to skip)
+    severity: MEDIUM
+    paths:
+      include:
+        - "/src/content/directory/*.yaml"
+        - "/src/content/directory/*.yml"
+    patterns:
+      - pattern-regex: "^id: "
+      - pattern-not-regex: "^id: [abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRTUVWXY34679]{6}$"

src/content/directory/cloudflare-agent.yaml

@@ -1,3 +1,4 @@
+id: kj7Wuc
 
 name: Cloudflare Agent
 entry:

tools/semgrep-repo-rules

@@ -5,6 +5,41 @@ repo_root_dir="$(git rev-parse --show-toplevel)"
 
 pushd "${repo_root_dir}" > /dev/null || return
 
+scan_all=false
+scan_path=""
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --all) scan_all=true; shift ;;
+    --path) scan_path="$2"; shift 2 ;;
+    *) shift ;;
+  esac
+done
+
+if [ -n "$scan_path" ]; then
+  echo "Scanning all files in ${scan_path}..."
+  docker run --rm -v "${PWD}:/src" semgrep/semgrep \
+    semgrep scan \
+      --config .semgrep --metrics=off \
+      --include "*.mdx" --include "*.md" --include "*.html" --include "*.htm" --include "*.yaml" --include "*.yml" \
+      --error \
+      "$scan_path"
+  semgrep_return_code=$?
+  echo "return code: $semgrep_return_code"
+  exit $semgrep_return_code
+fi
+
+if [ "$scan_all" = true ]; then
+  echo "Scanning all files..."
+  docker run --rm -v "${PWD}:/src" semgrep/semgrep \
+    semgrep scan \
+      --config .semgrep --metrics=off \
+      --include "*.mdx" --include "*.md" --include "*.html" --include "*.htm" --include "*.yaml" --include "*.yml" \
+      --error
+  semgrep_return_code=$?
+  echo "return code: $semgrep_return_code"
+  exit $semgrep_return_code
+fi
+
 base_commit=$(git merge-base HEAD origin/production)
 git diff $base_commit... --diff-filter=ACMRT --name-only | grep -E '\.(htm|html|yaml|yml|md|mdx)$' > tools/relevant_changed_files.txt || true