From b0eb3a83a0dd5ddd2c50963cac758503d41f5351 Mon Sep 17 00:00:00 2001
From: David Mytton <david@davidmytton.co.uk>
Date: Wed, 13 Dec 2023 17:39:31 +0000
Subject: [PATCH] chore(tools): enable Trunk & Semgrep (#11)

---
 .github/workflows/semgrep.yml     | 24 +++++++++++++++
 .trunk/.gitignore                 |  8 +++++
 .trunk/configs/.markdownlint.yaml | 10 +++++++
 .trunk/configs/.yamllint.yaml     | 10 +++++++
 .trunk/configs/svgo.config.js     | 14 +++++++++
 .trunk/trunk.yaml                 | 49 +++++++++++++++++++++++++++++++
 6 files changed, 115 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml
 create mode 100644 .trunk/.gitignore
 create mode 100644 .trunk/configs/.markdownlint.yaml
 create mode 100644 .trunk/configs/.yamllint.yaml
 create mode 100644 .trunk/configs/svgo.config.js
 create mode 100644 .trunk/trunk.yaml

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 000000000..4106039e8
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,24 @@
+name: Semgrep
+on:
+  workflow_dispatch: {}
+  pull_request: {}
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/semgrep.yml
+  schedule:
+    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
+    - cron: 53 18 * * *
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-20.04
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    container:
+      image: returntocorp/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci
diff --git a/.trunk/.gitignore b/.trunk/.gitignore
new file mode 100644
index 000000000..1e2465290
--- /dev/null
+++ b/.trunk/.gitignore
@@ -0,0 +1,8 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
diff --git a/.trunk/configs/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml
new file mode 100644
index 000000000..e99a2ead1
--- /dev/null
+++ b/.trunk/configs/.markdownlint.yaml
@@ -0,0 +1,10 @@
+# Autoformatter friendly markdownlint config (all formatting rules disabled)
+default: true
+blank_lines: false
+bullet: false
+html: true
+indentation: false
+line_length: false
+spaces: false
+url: false
+whitespace: false
diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml
new file mode 100644
index 000000000..4d444662d
--- /dev/null
+++ b/.trunk/configs/.yamllint.yaml
@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true
diff --git a/.trunk/configs/svgo.config.js b/.trunk/configs/svgo.config.js
new file mode 100644
index 000000000..b257d1349
--- /dev/null
+++ b/.trunk/configs/svgo.config.js
@@ -0,0 +1,14 @@
+module.exports = {
+  plugins: [
+    {
+      name: "preset-default",
+      params: {
+        overrides: {
+          removeViewBox: false, // https://github.com/svg/svgo/issues/1128
+          sortAttrs: true,
+          removeOffCanvasPaths: true,
+        },
+      },
+    },
+  ],
+};
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
new file mode 100644
index 000000000..431576b2a
--- /dev/null
+++ b/.trunk/trunk.yaml
@@ -0,0 +1,49 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.18.0
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.4.0
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - node@18.12.1
+    - python@3.10.8
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  enabled:
+    - trivy@0.48.0
+    - yamllint@1.33.0
+    - semgrep@1.52.0
+    - gitleaks@8.18.1
+    - actionlint@1.6.26
+    - git-diff-check
+    - markdownlint@0.37.0
+    - osv-scanner@1.5.0
+    - prettier@3.1.0
+    - svgo@3.0.5
+    - trufflehog@3.63.2
+  disabled:
+    # tfsec and checkov are replaced by Trivy
+    - tfsec
+    - checkov
+  ignore:
+    - linters: [ALL]
+      paths:
+        - analyze/wasm/**
+        - protocol/gen/**
+        - "**/LICENSE"
+  threshold:
+    - linters: [markdownlint]
+      level: medium
+actions:
+  enabled:
+    - trunk-fmt-pre-commit
+    - trunk-check-pre-push
+    - trunk-announce
+    - trunk-upgrade-available