Skip to content

Semgrep Workflow

Semgrep Workflow #301

Workflow file for this run

on:
workflow_dispatch: {}
# pull_request:
# branches: ["dev"]
push:
branches:
- dev
schedule:
- cron: 11 2 * * * # Run every day at 2:11 UTC
name: Semgrep Workflow
jobs:
semgrep:
concurrency:
# use case: for example, when someone pushes a commit to a PR, the workflow will be triggered again
# we want to cancel previous jobs and only run the latest one
# TODO: check if this is the correct group to do this
# github.ref is the branch name
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
security-events: write
packages: read
actions: read
contents: read
# don't run on draft PRs or dependabot PRs or renovate PRs
if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]'
name: Semgrep Job
runs-on: ubuntu-latest
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
container:
image: semgrep/semgrep@sha256:aca826eb1bb9ba9e84a348b88e0c6340ca2a400789de0ee1e41b1abb560e4a1f
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
# generate the SARIF file to upload to the GitHub Advanced Security Dashboard
- run: semgrep ci --sarif > semgrep.sarif
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
with:
sarif_file: semgrep.sarif
# we don't want to upload security vulns for code that is not merged yet
if: ${{ github.event_name != 'pull_request' }}