From 4be6e12857b6ae6188325073d05474f64d2dfe42 Mon Sep 17 00:00:00 2001 From: Malhar Khimsaria <96malhar@gmail.com> Date: Fri, 10 Nov 2023 14:08:51 -0800 Subject: [PATCH] chore: Update Semgrep GitHub action to use the returntocorp/semgrep container --- .github/workflows/semgrep-analysis.yml | 37 +++++++++++++++++--------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index ed1ebd001..1ae557e76 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -1,30 +1,41 @@ -# This workflow file requires a free account on Semgrep.dev to -# manage rules, file ignores, notifications, and more. -# -# See https://semgrep.dev/docs - name: Semgrep on: - push: - branches: - - feature/annotations + # Scan changed files in PRs, block on new issues only (existing issues ignored) pull_request: + + push: + branches: ["dev", "main"] + schedule: - cron: '23 20 * * 1' + # Manually trigger the workflow + workflow_dispatch: + jobs: semgrep: name: Scan + permissions: + security-events: write runs-on: ubuntu-latest + container: + image: returntocorp/semgrep # Skip any PR created by dependabot to avoid permission issues if: (github.actor != 'dependabot[bot]') steps: # Fetch project source - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - - uses: returntocorp/semgrep-action@v1 - with: - config: >- # more at semgrep.dev/explore + - run: semgrep ci --sarif > semgrep.sarif + env: + SEMGREP_RULES: >- # more at semgrep.dev/explore p/security-audit - p/secrets \ No newline at end of file + p/secrets + p/owasp-top-ten + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: semgrep.sarif + if: always() \ No newline at end of file