1+ # Name of this GitHub Actions workflow.
2+ name : Semgrep
3+
4+ on :
5+ # Scan changed files in PRs (diff-aware scanning):
6+ pull_request :
7+ branches : ["main"]
8+ # Scan on-demand through GitHub Actions interface:
9+ workflow_dispatch : {}
10+ # Scan mainline branches and report all findings:
11+ push :
12+ branches : ["main"]
13+
14+ jobs :
15+ semgrep_scan :
16+ # User definable name of this GitHub Actions job.
17+ name : semgrep/ci
18+ # If you are self-hosting, change the following `runs-on` value:
19+ runs-on : ubuntu-latest
20+ container :
21+ # A Docker image with Semgrep installed. Do not change this.
22+ image : returntocorp/semgrep
23+ # Skip any PR created by dependabot to avoid permission issues:
24+ if : (github.actor != 'dependabot[bot]')
25+ permissions :
26+ # required for all workflows
27+ security-events : write
28+ # only required for workflows in private repositories
29+ actions : read
30+ contents : read
31+
32+ steps :
33+ # Fetch project source with GitHub Actions Checkout.
34+ - name : Checkout repository
35+ uses : actions/checkout@v3
36+
37+ - name : Perform Semgrep Analysis
38+ # @NOTE: This is the actual semgrep command to scan your code.
39+ # Modify the --config option to 'r/all' to scan using all rules,
40+ # or use multiple flags to specify particular rules, such as
41+ # --config r/all --config custom/rules
42+ run : semgrep scan -q --sarif --config auto ./vulnerable-source-code > semgrep-results.sarif
43+
44+ # upload the results for the CodeQL GitHub app to annotate the code
45+ - name : Save SARIF results as artifact
46+ uses : actions/upload-artifact@v3
47+ with :
48+ name : semgrep-scan-results
49+ path : semgrep-results.sarif
50+
51+ # Upload SARIF file generated in previous step
52+ - name : Upload SARIF result to the GitHub Security Dashboard
53+ uses : github/codeql-action/upload-sarif@v2
54+ with :
55+ sarif_file : semgrep-results.sarif
56+ if : always()
0 commit comments