Skip to content

Commit 4654593

Browse files
authored
add sast ci (#2530)
1 parent a45b63d commit 4654593

1 file changed

Lines changed: 54 additions & 0 deletions

File tree

.github/workflows/sast.yml

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
name: SAST
2+
on:
3+
push:
4+
branches:
5+
- main
6+
pull_request:
7+
branches:
8+
- main
9+
schedule:
10+
- cron: '45 6 * * *'
11+
jobs:
12+
buildmavenDepTree:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- name: Checkout code
16+
uses: actions/checkout@v4
17+
- name: Set up JDK 11
18+
uses: actions/setup-java@v4
19+
with:
20+
java-version: '11'
21+
distribution: 'temurin'
22+
cache: 'maven'
23+
- name: Generate dependency tree
24+
run: |
25+
find . -name "pom.xml" -execdir mvn -q dependency:tree -DoutputFile=maven_dep_tree.txt -Dmaven.test.skip=true \;
26+
- name: Create zip with all dependency trees
27+
run: find . -type f -name 'maven_dep_tree.txt' -exec zip -r deptree.zip {} +
28+
- name: Upload zip
29+
uses: actions/upload-artifact@v4
30+
with:
31+
name: deptree
32+
path: deptree.zip
33+
sast:
34+
needs: buildmavenDepTree
35+
name: sast
36+
runs-on: ubuntu-latest
37+
permissions:
38+
contents: read
39+
env:
40+
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
41+
container:
42+
image: semgrep/semgrep
43+
if: (github.actor != 'dependabot[bot]')
44+
steps:
45+
- name: Checkout code
46+
uses: actions/checkout@v4
47+
- name: Download Maven Dependencies
48+
uses: actions/download-artifact@v4
49+
with:
50+
name: deptree
51+
- name: Extract zip and run Semgrep
52+
run: |
53+
unzip -o deptree.zip
54+
semgrep ci > /dev/null 2>&1 || exit $?

0 commit comments

Comments
 (0)