SAST

Update README.md (Status badge update) #457

Workflow file for this run

	name: SAST
	on:
	pull_request:
	branches:
	- main
	schedule:
	- cron: '45 6 * * 0'
	jobs:
	buildmavenDepTree:
	runs-on: ubuntu-latest
	steps:
	- name: Harden the runner (Audit all outbound calls)
	uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
	with:
	egress-policy: audit

	- name: Checkout code
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	- name: Set up JDK 11
	uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
	with:
	java-version: '11'
	distribution: 'temurin'
	cache: 'maven'
	- name: Generate dependency tree
	run: \|
	find . -name "pom.xml" -execdir mvn -q dependency:tree -DoutputFile=maven_dep_tree.txt -Dmaven.test.skip=true \;
	- name: Create zip with all dependency trees
	run: find . -type f -name 'maven_dep_tree.txt' -exec zip -r deptree.zip {} +
	- name: Upload zip
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: deptree
	path: deptree.zip
	sast:
	needs: buildmavenDepTree
	name: sast
	timeout-minutes: 60
	runs-on: ubuntu-latest
	permissions:
	contents: read
	env:
	SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
	container:
	image: semgrep/semgrep
	if: (github.actor != 'dependabot[bot]')
	steps:
	- name: Checkout code
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	- name: Download Maven Dependencies
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: deptree
	- name: Extract zip and run Semgrep
	run: \|
	unzip -o deptree.zip
	semgrep ci --supply-chain > /dev/null 2>&1 \|\| exit $?
	semgrep ci --code > /dev/null 2>&1 \|\| exit $?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update README.md (Status badge update) #457

Workflow file

Update README.md (Status badge update) #457

Uh oh!

Workflow file for this run