Skip to content

Commit

Permalink
ci: enable semgrep workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
Yakutoc committed Sep 21, 2023
1 parent 923b8ad commit f9de783
Showing 1 changed file with 39 additions and 0 deletions.
39 changes: 39 additions & 0 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Semgrep

on:
pull_request:
branches: ["dev"]

permissions:
actions: read
contents: read
security-events: write

jobs:
semgrep:
name: semgrep/ci
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep

# Skip any PR created by dependabot to avoid permission issues:
if: ${{ github.actor != 'dependabot[bot]' }}

steps:
- uses: actions/checkout@v4
with:
show-progress: false

- name: "Run the 'semgrep ci' command on the command line of the docker image."
run: semgrep ci --sarif --output=semgrep.sarif --config auto --config "p/gitlab" --exclude-rule yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
env:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
# more at semgrep.dev/explore
SEMGREP_RULES: p/default

- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif

0 comments on commit f9de783

Please sign in to comment.