.github/workflows/semgrep.yml at b78f6ddf68e4a939950445962047bad0e6e3593f · boltless.me/zoekt

fork of https://github.com/sourcegraph/zoekt

zoekt / .github / workflows / semgrep.yml

at b78f6ddf68e4a939950445962047bad0e6e3593f 1.4 kB View raw

Keegan Carruthers-Smith chore/ci: bump GitHub Actions to latest pinned versions (#1051) 1mo ago

 1name: Semgrep - SAST Scan
 2
 3on:
 4  pull_request_target:
 5    types: [ closed, edited, opened, synchronize, ready_for_review ]
 6
 7jobs:
 8  semgrep:
 9    permissions:
10      contents: read # for actions/checkout to fetch code
11      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
12      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
13    runs-on: ubuntu-latest
14    container:
15      image: returntocorp/semgrep
16
17    steps:
18      - uses: actions/checkout@v6
19        with:
20          ref: ${{ github.event.pull_request.head.ref }}
21          repository: ${{ github.event.pull_request.head.repo.full_name }}
22
23      - name: Checkout semgrep-rules repo
24        uses: actions/checkout@v6
25        with:
26          repository: sourcegraph/security-semgrep-rules
27          token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
28          path: semgrep-rules
29
30      - name: Run Semgrep SAST Scan
31        run: |
32          mv semgrep-rules ../
33          semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true
34      - name: Upload SARIF file
35        uses: github/codeql-action/upload-sarif@v4
36        with:
37          sarif_file: results.sarif

Configure Feed

Configure Feed