feat: open source friendly scan action (#77)

gilescope · web-flow · commit fdf8ee70a1f9 · 2026-01-12T18:57:31.000+01:00
diff --git a/.github/workflows/checkmarx.yaml b/.github/workflows/checkmarx.yaml
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -0,0 +1,30 @@
+name: Scan
+permissions: {}
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}   # so you can still run it manually
+  schedule:
+    - cron: '0 0 * * *'   # run daily at midnight UTC
+concurrency:
+  group:
+    ${{ github.event_name != 'merge_group' && format('{0}-{1}', github.workflow, github.head_ref) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      statuses: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  #v6.0.1
+
+      - name: Scan code
+        uses: midnightntwrk/upload-sarif-github-action/scan@4a845f28b9c18477052e3ee02c4e549970b1e904
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,7 +1,7 @@
 * @midnightntwrk/mn-codeowners-node-docker
 /.github/ISSUE_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre
 /.github/PULL_REQUEST_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre
-/.github/workflows/checkmarx.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre
+/.github/workflows/scan.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre
 /.github/workflows/dependabot.yml @midnightntwrk/mn-security @midnightntwrk/mn-sre
 CODE_OF_CONDUCT.md @midnightntwrk/mn-security @midnightntwrk/mn-sre
 CODEOWNERS @midnightntwrk/mn-security @midnightntwrk/mn-sre
