-
Notifications
You must be signed in to change notification settings - Fork 85
49 lines (38 loc) · 1.49 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: Semgrep
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan mainline, next and `dev/*` trunks to report all findings:
push:
branches:
- main
- canary
- dev/*
schedule:
- cron: "30 0 1,15 * *" # scheduled for 00:30 UTC on both the 1st and 15th of the month
jobs:
semgrep:
name: Scan
# Change this in the event of future self-hosting of Action runner:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep:1.101.0@sha256:a2917a82fec40f4d165fd701abb3937677b900105f3e909861fa03844a8e00db
# Skip any PR created by Dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
name: Check-out Git project source
- name: Run Semgrep
run: semgrep ci --sarif --output=semgrep.sarif || true
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: Check SARIF file exists following Semgrep run
id: sarif_file_check
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: "semgrep.sarif"
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
if: steps.sarif_file_check.outputs.files_exists == 'true'
with:
sarif_file: semgrep.sarif