| # This workflow uses actions that are not certified by GitHub. |
| # They are provided by a third-party and are governed by |
| # separate terms of service, privacy policy, and support |
| # documentation. |
| |
| # This workflow file requires a free account on Semgrep.dev to |
| # manage rules, file ignores, notifications, and more. |
| # |
| # See https://semgrep.dev/docs |
| |
| name: Semgrep |
| |
| on: |
| push: |
| branches: [ "develop" ] |
| pull_request: |
| # The branches below must be a subset of the branches above |
| branches: [ "develop" ] |
| schedule: |
| - cron: '23 2 * * 4' |
| |
| permissions: |
| contents: read |
| |
| jobs: |
| semgrep: |
| permissions: |
| contents: read # for actions/checkout to fetch code |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
| name: Scan |
| runs-on: ubuntu-latest |
| steps: |
| - name: Harden Runner |
| uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 |
| with: |
| egress-policy: audit |
| |
| # Checkout project source |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
| with: |
| persist-credentials: false |
| |
| # The former returntocorp/semgrep-action is deprecated (the org was renamed |
| # to semgrep/*); the maintained approach is to install the CLI and invoke |
| # it directly. We use `semgrep scan` (not `semgrep ci`, which requires a |
| # login token): with no SEMGREP_APP_TOKEN configured this is exactly what |
| # the old action fell back to, running community rules with no token. |
| # SEMGREP_APP_TOKEN is still passed through so registry auth works if a |
| # token is ever added. |
| - name: Install Semgrep |
| run: python3 -m pip install --user semgrep==1.168.0 |
| |
| # `semgrep scan --sarif` always exits 0 even with findings; continue-on-error |
| # is a safety net so the SARIF upload still runs if the scan itself errors. |
| - name: Run Semgrep |
| run: semgrep scan --config auto --sarif --output=semgrep.sarif |
| continue-on-error: true |
| env: |
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |
| |
| # Upload SARIF file generated in previous step |
| - name: Upload SARIF file |
| uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 |
| with: |
| sarif_file: semgrep.sarif |
| if: always() |