Skip to content
Semgrep

ci(github-actions): add semgrep scans #1

Sign in to view logs

ci(github-actions): add semgrep scans

ci(github-actions): add semgrep scans #1

Workflow file for this run

.github/workflows/semgrep.yml at cb0eee0
---
name: Semgrep
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions: {}
jobs:
semgrep:
permissions:
# Required to read the repo
contents: read
# Required to upload the SARIF file to the security tab
security-events: write
runs-on: ubuntu-latest
container:
image: semgrep/semgrep
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Run Semgrep for PR
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]' }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
semgrep ci --baseline-commit --code --error \
--config p/c \
--config p/ci \
--config p/docker \
--config p/expressjs \
--config p/flask \
--config p/insecure-transport \
--config p/jwt \
--config p/python \
--config p/r2c \
--config p/react \
--config p/ruby \
--config p/secrets \
--config p/security-audit
- name: Run Semgrep for push
if: ${{ github.event_name != 'pull_request' }}
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
semgrep scan --sarif --sarif-output=semgrep-results.sarif \
--config p/c \
--config p/ci \
--config p/docker \
--config p/expressjs \
--config p/flask \
--config p/insecure-transport \
--config p/jwt \
--config p/python \
--config p/r2c \
--config p/react \
--config p/ruby \
--config p/secrets \
--config p/security-audit
- name: Upload Semgrep scan results to GitHub Security tab
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
with:
sarif_file: semgrep-results.sarif