Skip to content

build(deps): bump ws #311

build(deps): bump ws

build(deps): bump ws #311

# This workflow file requires a free account on Semgrep.dev to
# manage rules, file ignores, notifications, and more.
#
# See https://semgrep.dev/docs
name: Semgrep Scan
on:
push:
branches: [main]
pull_request:
# The branches below must be a subset of the branches above
branches: [main]
# schedule:
# Monday 6:00 am GMT+8
# - cron: '0 22 * * 0'
jobs:
semgrep:
name: Semgrep Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Checkout project source
- uses: actions/checkout@v4
# Scan code using project's configuration on https://semgrep.dev/manage
- name: Semgrep Scan
run: semgrep ci --output semgrep.sarif --sarif
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
# Upload SARIF file generated in previous step
# see: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif