Skip to content

Semgrep

Semgrep #530

# This workflow file requires a free account on Semgrep.dev to
# manage rules, file ignores, notifications, and more.
#
# See https://semgrep.dev/docs
name: Semgrep
on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
schedule:
- cron: '19 5 * * 6'
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source
- uses: actions/checkout@v2
- uses: returntocorp/semgrep-action@v1
with:
config: >- # more at semgrep.dev/explore
p/security-audit
p/secrets
# Instead of `config:`, use rules set in Semgrep App.
# Get your token from semgrep.dev/manage/settings.
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
# Never fail the build due to findings on pushes.
# Instead, just collect findings for semgrep.dev/manage/findings
# auditOn: push
# Upload findings to GitHub Advanced Security Dashboard [step 1/2]
# See also the next step.
generateSarif: "1"
# Change job timeout (default is 1800 seconds; set to 0 to disable)
# env:
# SEMGREP_TIMEOUT: 300
# Upload findings to GitHub Advanced Security Dashboard [step 2/2]
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: semgrep.sarif
if: always()