Semgrep Workflow #336
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
workflow_dispatch: {} | |
# pull_request: | |
# branches: ["dev"] | |
push: | |
branches: | |
- dev | |
schedule: | |
- cron: 11 2 * * * # Run every day at 2:11 UTC | |
name: Semgrep Workflow | |
jobs: | |
semgrep: | |
concurrency: | |
# use case: for example, when someone pushes a commit to a PR, the workflow will be triggered again | |
# we want to cancel previous jobs and only run the latest one | |
# TODO: check if this is the correct group to do this | |
# github.ref is the branch name | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
security-events: write | |
packages: read | |
actions: read | |
contents: read | |
# don't run on draft PRs or dependabot PRs or renovate PRs | |
if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' | |
name: Semgrep Job | |
runs-on: ubuntu-latest | |
env: | |
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
container: | |
image: semgrep/semgrep@sha256:aca826eb1bb9ba9e84a348b88e0c6340ca2a400789de0ee1e41b1abb560e4a1f | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
# generate the SARIF file to upload to the GitHub Advanced Security Dashboard | |
- run: semgrep ci --sarif > semgrep.sarif | |
- name: Upload SARIF file for GitHub Advanced Security Dashboard | |
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 | |
with: | |
sarif_file: semgrep.sarif | |
# we don't want to upload security vulns for code that is not merged yet | |
if: ${{ github.event_name != 'pull_request' }} |