ekscss-repl/.github/workflows/semgrep.yml at aefe656d1f4926eda2d96032875cefd384f0e3c6 · maxmilton/ekscss-repl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: semgrep
on:
  push:
    branches: [master]
  pull_request: {}
  workflow_dispatch: {}
  schedule:
    - cron: "28 6 * * 4"
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.run_id }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
  analyze:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    container:
      image: semgrep/semgrep@sha256:4372a1de903521f9f10f877b6caf15d150d17e1ca592582682c8d02b77cbd4f6
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
      - run: semgrep ci --sarif-output=semgrep.sarif
        env:
          SEMGREP_RULES: p/default p/owasp-top-ten p/cwe-top-25 p/gitleaks p/r2c-security-audit
      - uses: github/codeql-action/upload-sarif@8a06050a8c0348fb4738f28e0cfbb6727cf054ce # v4
        if: always()
        with:
          sarif_file: semgrep.sarif