.github/workflows/semgrep.yml at 0978c13fb6683be9908ee1a578360734e61cc8b5 · boltless.me/zoekt

fork of https://github.com/sourcegraph/zoekt

zoekt / .github / workflows / semgrep.yml

at 0978c13fb6683be9908ee1a578360734e61cc8b5 1.4 kB View raw

Shivasurya added semgrep scan (#872) 2y ago

 1name: Semgrep - SAST Scan
 2
 3on:
 4  pull_request_target:
 5    types: [ closed, edited, opened, synchronize, ready_for_review ]
 6
 7jobs:
 8  semgrep:
 9    permissions:
10      contents: read # for actions/checkout to fetch code
11      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
12      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
13    runs-on: ubuntu-latest
14    container:
15      image: returntocorp/semgrep
16
17    steps:
18      - uses: actions/checkout@v4
19        with:
20          ref: ${{ github.event.pull_request.head.ref }}
21          repository: ${{ github.event.pull_request.head.repo.full_name }}
22
23      - name: Checkout semgrep-rules repo
24        uses: actions/checkout@v4
25        with:
26          repository: sourcegraph/security-semgrep-rules
27          token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
28          path: semgrep-rules
29
30      - name: Run Semgrep SAST Scan
31        run: |
32          mv semgrep-rules ../
33          semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true
34      - name: Upload SARIF file
35        uses: github/codeql-action/upload-sarif@v3
36        with:
37          sarif_file: results.sarif

Configure Feed

Configure Feed