Skip to content

Commit

Permalink
🌆 Retire Find-and-Fix Changes (#211)
Browse files Browse the repository at this point in the history
Docs changes in support of retiring our find-and-fix codemods features.

1. Removes content that shows how to configure codemod catalogs, since
that is a find-and-fix only concept.
2. For users that have not yet configured a code scanner in their
project, but would still like to benefit from Pixee fixes, there's now
and example of how to set-up Semgrep OSS with Pixee integration.

---------

Co-authored-by: Arshan Dabirsiaghi <[email protected]>
Co-authored-by: Surag <[email protected]>
  • Loading branch information
3 people authored Jan 15, 2025
1 parent 5b546a7 commit c0ebd80
Show file tree
Hide file tree
Showing 8 changed files with 110 additions and 33 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
58 changes: 55 additions & 3 deletions docs/code-scanning-tools/semgrep.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,64 @@ sidebar_position: 3

# Semgrep

Pixee can automatically triage and fix issues detected by [Semgrep](https://semgrep.dev/).
Pixee can automatically triage and fix issues detected by [Semgrep OSS](https://semgrep.dev/).

# GitHub Advanced Security

No setup is required for GitHub Advanced Security (GHAS) users to receive fixes from Semgrep results that are uploaded as Code Scanning alerts.
No setup is required for GitHub Advanced Security (GHAS) users to receive fixes from Semgrep results that are uploaded as Code Scanning alerts. Simply installing the Pixeebot GitHub App is sufficient.

# Others

Use the [pixee/upload-tool-results-action](https://github.com/pixee/upload-tool-results-action) GitHub Action to synchronize Semgrep findings with Pixee.
Use the [pixee/upload-tool-results-action](https://github.com/pixee/upload-tool-results-action) GitHub Action together with the Pixeebot GitHub App to synchronize Semgrep findings with Pixee.

The following GitHub Action workflow example demonstrates how to include Semgrep OSS vulnerability detection with Pixee fixes in a Java application:

```yaml
name: Analyze with Semgrep and Fix with Pixee

on:
push:
branches:
- main
pull_request:
branches:
- main

permissions:
contents: read
id-token: write

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install Semgrep
run: |
python3 -m pip install semgrep
- name: Run Semgrep
run: |
semgrep --config auto --sarif --output semgrep-results.sarif.json
- name: Fix with Pixee
uses: pixee/upload-tool-results-action@v2
with:
tool: semgrep
file: semgrep-results.sarif.json
```
This workflow:
1. Runs Semgrep OSS on the project and stores the results in a standard SARIF file.
2. Runs the pixee/upload-tool-results-action that sends the SARIF file to Pixee.
Once Pixee receives the Semgrep OSS vulnerabilities, it recalls them on its next analysis of this commit.
- When this commit the head of a pull request, then Pixee triggers its _PR Hardening_ analysis to fix as many Semgrep findings in this PR as it can.
- When this commit is the head of the main branch, then Pixee uses these findings the next time its _Continuous Improvement Campaign_ analysis runs. Users may trigger such an analysis to occur immediately by issuing the chat command `@pixeebot next` in any PR or issue comment on this repository. Pixee's continuous improvement campaign shows the queue of fixes in Pixeebot Acitvity Dashboard issue.

![Pixeebot Activity Dashboard issue](./semgrep-issue-dashlist.png)
26 changes: 0 additions & 26 deletions docs/configuring.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,20 +14,6 @@ Users may set Pixee preferences at either the organization or repository levels.
2. **Organization-wide preferences:**
Alternatively, you can create the `pixeebot.yaml` file in the `.github` directory of your `.github` repository. This will serve as the global preferences that apply to all repositories in this installation.

## Codemod catalogs

Pixee offers three codemod catalogs to choose from in order to tune the type of improvements received.

- **Less**: Pixee will only suggest improvements for findings identified by a third-party security tool. See the [third-party security tools](/code-scanning-tools/overview) page for more information.
- **Moderate**: In addition to third-party security tool findings, Pixee will also suggest fixes for its own security findings.
- **More**: Includes everything from the Less and Moderate catalogs, along with additional suggestions Pixee identifies, such as style improvements and best practices.

### Selecting a catalog

During the onboarding process, users will be given the option to select a catalog preference for the organization they are installing on. This will determine the default catalog used for any repositories in that organization. If this step is skipped and no preference is selected, the Moderate catalog will be used by default. At any time, changes can be made by visiting the Pixee dashboard and selecting "View / change default preference" in the User menu.

Additionally, the catalog value can be configured on a per-repository/per-organization basis by updating the YAML configuration file. See the [Properties](#properties) section below for more information.

## Properties

### `ai`
Expand All @@ -52,18 +38,6 @@ ai:
Contains optional preferences related to the codemod catalog Pixee uses to
make changes to repositories.

#### `catalog`

A string value that determines the codemod catalog used for code improvements.
The value can be set to `less`, `moderate`, or `more`.

Example:

```yaml
codemods:
catalog: more
```

#### `exclude`

A set of codemods to exclude from the catalog. Each codemod is identified by its
Expand Down
6 changes: 5 additions & 1 deletion docs/installing.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ Also [contact us](https://pixee.ai/demo-landing-page) if you want to partner as

## Tool connections

Pixee can provide fixes "out of the box" for Java and Python repositories. But you'll get the most value out of Pixee by [connecting it to your existing code scanning tools and services](/code-scanning-tools/overview). This will allow Pixee to provide more accurate and relevant fixes for your codebase.
Pixee fixes problems detected by [your existing code scanning tools and services](/code-scanning-tools/overview).

If you use GitHub Advanced Security (GHAS), then installing the Pixeebot GitHub App is sufficient for connecting Pixee to your GHAS results.

Otherwise, you will need to connect Pixee to your code scanning tools and services, before Pixee can send fixes. If your repository does not use any code scanning tools and services, but you still want to try Pixee, see our guide for [adding Semgrep CLI and Pixee to your GitHub repository](./code-scanning-tools/semgrep.md).

## Repository access

Expand Down
2 changes: 0 additions & 2 deletions docs/languages.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ sidebar_position: 3

# Language support

You'll get the most value out of Pixee by connecting it to your existing code scanning tools. This will allow Pixee to provide more accurate and relevant fixes for your codebase and to triage findings from those tools.

When triaging and fixing issues detected by code scanning tools, Pixee supports the following languages:

- Java
Expand Down
49 changes: 49 additions & 0 deletions docs/running_on_public_github_repos.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
sidebar_position: 2
---

# For public repositories without tools

This page describes how to help set up Pixee on a public GitHub repository that doesn't have any tools configured yet. Note that some features are only available in our enterprise offering.

## Step 1: Choose and set up your repository

On the repository you want to secure, enable GitHub _Issues_ so you can see the Pixee dashboard. You can always disable this later if, after you review, you prefer using our dashboard.

1. In your repository, go to `Settings` > `General`.
2. Under the `Features`, select `Issues`.

## Step 2: Choose CodeQL or SonarQube Cloud

For ease of integration, we suggest picking either CodeQL (through GitHub Advanced Security) or SonarQube Cloud. Both can be used to find vulnerabilities in your code, are free for public repositories, and offer simple onboarding. CodeQL is more focused on security than quality, but Sonar has a large rule based and is trusted by developers all over the world. Both are great choices.

### SonarQube Cloud

[Follow these instructions](https://docs.sonarsource.com/sonarqube-cloud/getting-started/github/) for installing SonarQube Cloud (to make things easier, login with your GitHub identity).

### CodeQL through GitHub Advanced Security (GHAS)

1. In your repository, go to `Settings` > `Code Security`.
2. Under the `Tools` > `CodeQL analysis`, hit `Set up`, then `Default`.

You may want to wait until the first scan finishes before moving onto the next step. You can see when it finishes by going to `Actions` and watching the progress of the recently-run CodeQL job.

## Step 3: Install Pixeebot

With the tool properly configured, the next step is to install Pixee.

1. Go to our [GitHub App page](https://github.com/apps/pixeebot/).
2. Click `Install` (or `Configure`) and follow the prompts from GitHub. You'll be directed to your Pixee dashboard once the installation process is complete.

## Step 4: See fixes available

1. Wait a few minutes for Pixee to process the results associated with the default branch.
2. There should be a new issue that shows which fixes are currently available.

import IssueDashboard from '/img/issue-dashboard.png';

<img src={IssueDashboard} alt="Issue dashboard" style={{width: 400}} />

You can use this dashboard to see what fixes are available, coming soon or summon Pixee to issue the fixes.

> Note: This GitHub-led experience will only show output from our AutoTriage AI agent when you make PRs that have security issues. To take advantage of this feature at scale, [contact us](https://pixee.ai/demo-landing-page)!
2 changes: 1 addition & 1 deletion docs/using-pixeebot.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ sidebar_position: 6

## Continuous improvement

Once installed, Pixee will begin opening pull requests against your repositories immediately. There is no need to summon Pixee manually - all of your improvements will come automatically at a manageable weekly cadence.
After installing Pixee and connecting it to your code scanning services, Pixee will begin opening pull requests against your repositories. There is no need to summon Pixee manually - all of your improvements will come automatically at a manageable weekly cadence.

## Summoning Pixee

Expand Down
Binary file added static/img/issue-dashboard.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit c0ebd80

Please sign in to comment.