Skip to content

security: a more comprehensive env.denylist #16534

security: a more comprehensive env.denylist

security: a more comprehensive env.denylist #16534

Workflow file for this run

name: Semgrep
on:
pull_request: {}
# Skipping push for now since it would run against the entire code base.
# push:
jobs:
semgrep:
name: Semgrep Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep:1.36.0
env:
SEMGREP_SEND_METRICS: 0
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: semgrep ci --config=.semgrep/
permissions:
contents: read