fork of https://github.com/sourcegraph/zoekt
added semgrep scan (#872)
author
Shivasurya
committer
GitHub
date
(Dec 6, 2024, 12:39 PM -0500)
commit
5cad1d81
5cad1d81e5dbb0dd19af9b7a3ed093d7c6803e99
parent
39aae4e5
39aae4e513ac7bd2a25a818c60ba3f711b470465
+37
+37
.github/workflows/semgrep.yml
+37
.github/workflows/semgrep.yml
···
1
+
name: Semgrep - SAST Scan
2
+
3
+
on:
4
+
pull_request_target:
5
+
types: [ closed, edited, opened, synchronize, ready_for_review ]
6
+
7
+
jobs:
8
+
semgrep:
9
+
permissions:
10
+
contents: read # for actions/checkout to fetch code
11
+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
12
+
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
13
+
runs-on: ubuntu-latest
14
+
container:
15
+
image: returntocorp/semgrep
16
+
17
+
steps:
18
+
- uses: actions/checkout@v4
19
+
with:
20
+
ref: ${{ github.event.pull_request.head.ref }}
21
+
repository: ${{ github.event.pull_request.head.repo.full_name }}
22
+
23
+
- name: Checkout semgrep-rules repo
24
+
uses: actions/checkout@v4
25
+
with:
26
+
repository: sourcegraph/security-semgrep-rules
27
+
token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
28
+
path: semgrep-rules
29
+
30
+
- name: Run Semgrep SAST Scan
31
+
run: |
32
+
mv semgrep-rules ../
33
+
semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true
34
+
- name: Upload SARIF file
35
+
uses: github/codeql-action/upload-sarif@v3
36
+
with:
37
+
sarif_file: results.sarif