update semgrep config with full details (#106)

alexcoderabbitai · web-flow · commit 097373ea0564 · 2024-10-14T12:07:36.000-04:00
* update semgrep config with full details

* move notes around

* add link to semgrep rules docs

* english fix

* adding notes on default semgrep config file names
diff --git a/docs/tools/semgrep.md b/docs/tools/semgrep.md
@@ -4,21 +4,50 @@ sidebar_label: Semgrep
 description: CodeRabbit's guide to Semgrep.
 ---
 
-[Semgrep](https://semgrep.dev/) is a static analysis tool designed to scan code for security vulnerabilities and code quality issues..
+[Semgrep](https://semgrep.dev/) is a static analysis tool designed to scan code
+for security vulnerabilities and code quality issues.
+
+## Configuration
+
+Semgrep uses a YAML style configuration file. By default we will automatically
+use the following files if any are set in the root directory of your
+repostitory.
+
+- `semgrep.yml` or `semgrep.yaml`
+- `semgrep.config.yml` or `semgrep.config.yaml`
+
+Semgrep supports the following config files:
+
+- User-defined config file set at `reviews.tools.semgrep.config_file` in your
+  project's `.coderabbit.yaml` file or setting the "Review → Tools → Semgrep →
+  Config File" field in CodeRabbit's settings page.
+
+> Due to licensing CodeRabbit does not ship with the
+> [community-created Semgrep rules](https://github.com/returntocorp/semgrep-rules),
+> but you're free to use these in your own `semgrep.yml` config file.
+
+> **NOTE: CodeRabbit will only run Semgrep if your repository contains a Semgrep
+> config file. This config must use the default file names or you must define
+> the path to this file in the `.coderabbit.yaml` or config UI.**
+
+## Links
+
+- [Semgrep CLI Reference](https://semgrep.dev/docs/cli-reference)
+- [Writing Semgrep Rules for Config Files](https://semgrep.dev/docs/running-rules)
 
 ## Files
 
 Semgrep will run on the following files and extensions:
 
 - `Apex`
-- `Bash` 
+- `Bash`
 - `.c`
 - `.cpp`
 - `.cs`
 - `.clj`
 - `.dart`
 - `Dockerfile`
-- `.ex` 
+- `.ex`
 - `.html`
 - `.go`
 - `.java`
@@ -36,7 +65,7 @@ Semgrep will run on the following files and extensions:
 - `.py`
 - `.r`
 - `.rb`
-- `.rs` 
+- `.rs`
 - `.scala`
 - `Scheme`
 - `.sol`
@@ -48,15 +77,3 @@ Semgrep will run on the following files and extensions:
 - `.xml`
 - `ERB`
 - `Jinja`
-
-## Configuration
-
-Semgrep uses a YAML style configuration file.
-
-Semgrep supports the following config files:
-
-- User-defined config file set at `reviews.tools.semgrep.config_file` in your project's `.coderabbit.yaml` file or setting the "Review → Tools → Semgrep → Config File" field in CodeRabbit's settings page.
-
-## Links
-
-- [Semgrep Cli Reference](https://semgrep.dev/docs/cli-reference)
