diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..309e703 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,49 @@ +name: SecurityChecks +on: + pull_request: {} + push: + branches: ["master"] +jobs: + semgrep: + name: Scan + runs-on: [ubuntu-latest] + steps: + - uses: actions/checkout@v2 + - uses: returntocorp/semgrep-action@v1 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: 339 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + workflow_status: + runs-on: [ ubuntu-latest ] + name: Update Status Check + needs: [ semgrep ] + if: always() + env: + githubCommit: ${{ github.event.pull_request.head.sha }} + steps: + - name: Set github commit id + run: | + if [ "${{ github.event_name }}" = "push" ]; then + echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV + fi + exit 0 + - name: Failed + id: failed + if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') + run: | + echo 'Failing the workflow for github security status check.' + curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ + -d '{ "state" : "failure" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ + https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} + exit 1 + - name: Success + if: steps.failed.conclusion == 'skipped' + run: | + echo 'Status check has passed!' + curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ + -d '{ "state" : "success" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ + https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} + exit 0 \ No newline at end of file