File tree Expand file tree Collapse file tree 1 file changed +41
-0
lines changed Expand file tree Collapse file tree 1 file changed +41
-0
lines changed Original file line number Diff line number Diff line change 1+ name : Semgrep - SAST Scan
2+
3+ on :
4+ pull_request_target :
5+ types : [edited, opened, synchronize, ready_for_review]
6+
7+ concurrency :
8+ group : ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
9+ cancel-in-progress : true
10+
11+ jobs :
12+ semgrep :
13+ permissions :
14+ contents : read # for actions/checkout to fetch code
15+ security-events : write # for github/codeql-action/upload-sarif to upload SARIF results
16+ actions : read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
17+ runs-on : ubuntu-latest
18+ container :
19+ image : semgrep/semgrep:1.104.0
20+
21+ steps :
22+ - uses : actions/checkout@v4
23+ with :
24+ ref : ${{ github.event.pull_request.head.ref }}
25+ repository : ${{ github.event.pull_request.head.repo.full_name }}
26+
27+ - name : Checkout semgrep-rules repo
28+ uses : actions/checkout@v4
29+ with :
30+ repository : sourcegraph/security-semgrep-rules
31+ token : ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
32+ path : semgrep-rules
33+
34+ - name : Run Semgrep SAST Scan
35+ run : |
36+ mv semgrep-rules ../
37+ semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true
38+ name : Upload SARIF file
39+ uses : github/codeql-action/upload-sarif@v3
40+ with :
41+ sarif_file : results.sarif
You can’t perform that action at this time.
0 commit comments