ci: add Semgrep OSS scanning workflow#128
Conversation
| on: | ||
| pull_request: {} | ||
| push: | ||
| branches: [main, master] |
There was a problem hiding this comment.
Suggestion (medium): This repo's primary integration branch is staging — all PRs target it, and main only receives merges from staging at release time. Without staging in the push trigger, merged code is only scanned on PR (and again much later when it reaches main). Consider adding it:
| branches: [main, master] | |
| branches: [main, staging] |
This also drops master, which doesn't exist in this repo.
| jobs: | ||
| semgrep: | ||
| name: semgrep-oss | ||
| runs-on: ubuntu-slim |
There was a problem hiding this comment.
Needs Fix (medium): ubuntu-slim is not a standard GitHub-hosted runner label (ubuntu-latest, ubuntu-24.04, ubuntu-22.04 are). Every other workflow in this repo uses ubuntu-latest.
If this is a Cloudflare org-wide custom runner label, please disregard — but if not, this will cause the job to hang waiting for a runner that never arrives.
| runs-on: ubuntu-slim | |
| runs-on: ubuntu-latest |
|
Review submitted successfully. Here's a summary of the findings: Needs Fix (1):
Suggestions (1):
|
Summary
Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.
What it does
pushto the main/master branch, and monthly on a staggered schedule.actions/cache@v5sopip install semgreponly runs on cold cache (first run, version bump, or 7-day idle).semgrep==1.160.0with--config=auto(default OSS ruleset).ubuntu-slimwithcontents: readtoken scope.For reviewers
See the internal App&ProdSec email for migration context, or ping us internally.