-
Notifications
You must be signed in to change notification settings - Fork 42
73 lines (59 loc) · 2.8 KB
/
scan-dockerfiles-with-semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Name of this GitHub Actions workflow.
name: Scan Application Code with Semgrep SAST
on:
# Trigger the workflow on the following events:
# Scan changed files in Pull Requests (diff-aware scanning).
pull_request: {}
# Trigger the workflow on-demand through the GitHub Actions interface.
workflow_dispatch: {}
# Scan mainline branches (main and development) and report all findings.
push:
branches: ["main", "development"]
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: Scan Application Code with Semgrep SAST
# Specify the runner environment. Use the latest version of Ubuntu.
runs-on: ubuntu-latest
# Define permissions for specific GitHub Actions.
permissions:
actions: read # Permission to read GitHub Actions.
contents: read # Permission to read repository contents.
security-events: write # Permission to write security events.
container:
# Use a Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any Pull Request created by the Dependabot to avoid permission issues.
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout code
uses: actions/checkout@v4
# Step: Checkout code
# Action to check out the code from the repository.
# This step fetches the codebase from the GitHub repository.
- name: Run Semgrep Dockerfile Scan
run: semgrep --config p/dockerfile --exclude www --sarif --output=semgrep-dockerfile-results.sarif
continue-on-error: true
# Execute Semgrep to scan the code for Dockerfile vulnerabilities
# Save the results in SARIF format
# Continue the workflow even if there are errors during the scan.
- name: Run Semgrep Docker SAST Scan
run: semgrep --config p/docker --exclude www --sarif --output=semgrep-docker-results.sarif
continue-on-error: true
# Execute Semgrep to scan the code for Docker vulnerabilities
# Save the results in SARIF format
# Continue the workflow even if there are errors during the scan.
- name: Upload Dockerfile SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep-dockerfile-results.sarif
category: "Semgrep Dockerfile Scan"
if: always()
# Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.
- name: Upload Docker file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep-docker-results.sarif
category: "Semgrep Docker Scan"
if: always()
# Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.