feat(ci): add local semgrep scanning

Adds local semgrep scanning with blocking CI rules. Since this is
local it will run without needing to log in to semgrep and can
therefore run on external branches.

.circleci/config.yml

@@ -1170,6 +1170,31 @@ jobs:
       - notify-failures-on-develop:
           mentions: "@proofs-squad"
 
+  semgrep-scan-local:
+    parameters:
+      diff_branch:
+        type: string
+        default: develop
+    environment:
+      TEMPORARY_BASELINE_REF: << parameters.diff_branch >>
+      SEMGREP_REPO_URL: << pipeline.project.git_url >>
+      SEMGREP_BRANCH: << pipeline.git.branch >>
+      SEMGREP_COMMIT: << pipeline.git.revision >>
+    docker:
+      - image: returntocorp/semgrep
+    resource_class: xlarge
+    steps:
+      - checkout
+      - run:
+          name: "Semgrep scan"
+          # --timeout (in seconds) limits the time per rule and file.
+          #   SEMGREP_TIMEOUT is the same, but docs have conflicting defaults (5s in CLI flag, 1800 in some places)
+          #    https://semgrep.dev/docs/troubleshooting/semgrep-app#if-the-job-is-aborted-due-to-taking-too-long
+          command: semgrep scan --timeout=100 --config=./.semgrep
+          # If semgrep hangs, stop the scan after 20m, to prevent a useless 5h job
+          no_output_timeout: 20m
+      - notify-failures-on-develop
+
   semgrep-scan:
     parameters:
       diff_branch:
@@ -1415,6 +1440,7 @@ workflows:
           requires:
             - contracts-bedrock-build
       - semgrep-scan
+      - semgrep-scan-local
       - go-lint:
           requires:
             - go-mod-download

.semgrep/sol-rules.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: sol-safety-deployutils-args
+    pattern-regex: DeployUtils\.(create1|create2|create1AndSave|create2AndSave)\s*\(\s*\{[^}]*?_args\s*:\s*(?!\s*DeployUtils\.encodeConstructor\()\s*[^}]*?\}\s*\)
+    message: _args parameter should be wrapped with DeployUtils.encodeConstructor
+    severity: ERROR
+    languages:
+      - solidity
+  - id: sol-style-input-arg-fmt
+    pattern-regex: function\s+\w+\s*\(\s*([^)]*?\b\w+\s+(?!_)(?!memory\b)(?!calldata\b)(?!storage\b)(?!payable\b)\w+\s*(?=,|\)))
+    message: Named inputs to functions must be prepended with an underscore
+    severity: WARNING
+    languages:
+      - solidity
+  - id: sol-style-return-arg-fmt
+    pattern-regex: returns\s*(\w+\s*)?\(\s*([^)]*?\b\w+\s+(?!memory\b)(?!calldata\b)(?!storage\b)(?!payable\b)\w+(?<!_)\s*(?=,|\)))
+    message: Named return arguments to functions must be appended with an underscore
+    severity: WARNING
+    languages:
+      - solidity

packages/contracts-bedrock/src/dispute/DelayedWETH.sol

@@ -59,6 +59,10 @@ contract DelayedWETH is OwnableUpgradeable, WETH98, ISemver {
         config = _config;
     }
 
+    function foo(uint256 tst) external pure returns (uint256) {
+        return tst;
+    }
+
     /// @notice Returns the withdrawal delay in seconds.
     /// @return The withdrawal delay in seconds.
     function delay() external view returns (uint256) {