Sync main from dev (#219)

ashishdhingra · GarrettBeatty · web-flow · commit 20f7a2fa0dd2 · 2025-06-11T13:46:40.000-04:00
* Add dependabot configuration (#216) * Add Semgrep security scanning workflow (#217) * chore: Pinned to v1.6.0 of aws-github-ops/handle-stale-discussions so that closed GitHub discussions are not auto-reopened. --------- Co-authored-by: Garrett Beatty <gcbeatty@amazon.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+# Set update schedule for GitHub Actions
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"
+    labels:
+      - "Release Not Needed"
+    target-branch: "dev"
diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml
@@ -13,6 +13,6 @@ jobs:
       discussions: write
     steps:
       - name: Stale discussions action
-        uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 #v1.6
+        uses: aws-github-ops/handle-stale-discussions@c0beee451a5d33d9c8f048a6d4e7c856b5422544 #v1.6.0
         env:
           GITHUB_TOKEN:  ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
@@ -0,0 +1,41 @@
+name: Semgrep
+
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request:
+
+  push:
+    branches: ["dev", "main"]
+
+  schedule:
+    - cron: '23 20 * * 1'
+
+  # Manually trigger the workflow
+  workflow_dispatch:
+
+jobs:
+  semgrep:
+    name: Scan
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+      - run: semgrep ci --sarif > semgrep.sarif
+        env:
+          SEMGREP_RULES: >- # more at semgrep.dev/explore
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
