@@ -55,16 +55,30 @@ runs:
5555 paths_ignored : ${{ inputs.paths_ignored }}
5656 rules_excluded : ${{ inputs.rules_excluded }}
5757
58- - name : Save failure
58+ - name : Semgrep Scan
59+ id : semgrep-scan
60+ continue-on-error : true
61+ uses : MetaMask/Semgrep-action@main
62+ with :
63+ paths_ignored : ${{ inputs.paths_ignored }}
64+
65+ - name : Determine Overall Scan Success
5966 shell : bash
6067 env :
6168 CODEQL_SCAN_RESULT : ${{ steps.codeql-scan.outcome }}
62- run : echo "CODEQL_SCAN_RESULT=$CODEQL_SCAN_RESULT" >> $GITHUB_ENV
69+ SEMGREP_SCAN_RESULT : ${{ steps.semgrep-scan.outcome }}
70+ run : |
71+ if [[ "$CODEQL_SCAN_RESULT" == "failure" || "$SEMGREP_SCAN_RESULT" == "failure" ]]; then
72+ SCAN_RESULT='failure'
73+ else
74+ SCAN_RESULT=$CODEQL_SCAN_RESULT
75+ fi
76+ echo "SCAN_RESULT=$SCAN_RESULT" >> $GITHUB_ENV
6377
6478# TODO check if we are blocking PR, e.g if we are on a PR and the scan failed, then fail the PR
6579 - name : Post to a Slack channel
6680 id : slack
67- if : ${{ env.CODEQL_SCAN_RESULT == 'failure' && inputs.slack_webhook != '' }}
81+ if : ${{ env.SCAN_RESULT == 'failure' && inputs.slack_webhook != '' }}
6882 uses : slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
6983 with :
7084 payload : |
7589env :
7690 SLACK_WEBHOOK_URL : ${{ inputs.slack_webhook }}
7791 SLACK_WEBHOOK_TYPE : INCOMING_WEBHOOK
78- # Save to mixpanel
7992
8093 - name : Save run metadata to mixpanel
8194 if : ${{ env.inputs.mixpanel_project_token != '' }}
@@ -84,12 +97,11 @@ runs:
8497 MIXPANEL_PROJECT_TOKEN : ${{ inputs.mixpanel_project_token}}
8598 RUN_REPO : ${{ inputs.repo }}
8699 RUN_ID : ${{ github.run_id }}
87- CODEQL_SCAN_RESULT : ${{ env.CODEQL_SCAN_RESULT }}
100+ CODEQL_SCAN_RESULT : ${{ env.SCAN_RESULT }}
88101 run : yarn run log-to-mixpanel
89102 shell : bash
90- # end save to mixpanel
91103
92104 - name : Finish on failure
93- if : ${{ env.CODEQL_SCAN_RESULT == 'failure' }}
105+ if : ${{ env.SCAN_RESULT == 'failure' }}
94106 shell : bash
95107 run : exit 1
0 commit comments