Workiva · andrewlundberg-wf · Sep 11, 2025
@@ -99,9 +99,40 @@ jobs:
       - name: Test Local Action
         id: test-action
         uses: ./
-        with:
-          milliseconds: 2000
 
       - name: Print Output
         id: output
         run: echo "${{ steps.test-action.outputs.time }}"
+
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: semgrep/ci
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: xs-al2023
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: semgrep/semgrep
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout. Use either v3 or v4.
+      - uses: actions/checkout@v5
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: |
+          unset HTTP_PROXY
+          unset http_proxy
+          unset HTTPS_PROXY
+          unset https_proxy
+          semgrep \
+            --quiet \
+            --config auto \
+            --sarif \
+            --sarif-output semgrep.sarif \
+            --output /dev/null \
+            --exclude-rule generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value \
+            --exclude-rule generic.secrets.security.detected-jwt-token.detected-jwt-token \
+            --exclude-rule generic.secrets.security.detected-aws-account-id.detected-aws-account-id \
+            --exclude-rule yaml.docker-compose.security.no-new-privileges.no-new-privileges \
+            --exclude-rule yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service \
+            --exclude-rule yaml.kubernetes.security.run-as-non-root.run-as-non-root \
+            --exclude-rule generic.secrets.security.detected-private-key.detected-private-key
@@ -103,5 +103,3 @@ __tests__/runner/*
 
 # asdf
 .tool-versions
-
-.semgrepignore
@@ -0,0 +1 @@
+__tests__/
@@ -52,8 +52,8 @@ describe('main', () => {
         '--exclude-rule',
         'generic.secrets.security.detected-private-key.detected-private-key'
       ],
-      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.84.1.tar.gz',
-      version: 'v1.84.1',
+      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.136.0.tar.gz',
+      version: 'v1.136.0',
       installType: scanner.InstallType.Pip
     })
     expect(core.setFailed).not.toHaveBeenCalled()
@@ -105,8 +105,8 @@ describe('main', () => {
         '--exclude-rule',
         'generic.secrets.security.detected-private-key.detected-private-key'
       ],
-      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.84.1.tar.gz',
-      version: 'v1.84.1',
+      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.136.0.tar.gz',
+      version: 'v1.136.0',
       installType: scanner.InstallType.Pip
     })
     expect(core.setFailed).toHaveBeenCalledWith(errorMessage)
@@ -146,8 +146,8 @@ describe('main', () => {
         '--exclude-rule',
         'generic.secrets.security.detected-private-key.detected-private-key'
       ],
-      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.84.1.tar.gz',
-      version: 'v1.84.1',
+      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.136.0.tar.gz',
+      version: 'v1.136.0',
       installType: scanner.InstallType.Pip
     })
     expect(core.setFailed).toHaveBeenCalledWith(errorMessage)

@@ -12,6 +12,12 @@ import * as scanner from './scanner.js'
  * @returns `Promise` that resolves when the operation is complete.
  */
 export async function run(): Promise<void> {
+  // Required to avoid the changes made in Release v1.128.0
+  delete process.env.HTTP_PROXY
+  delete process.env.http_proxy
+  delete process.env.HTTPS_PROXY
+  delete process.env.https_proxy
+
   const scannerInput = inputs.getScannerInput()
 
   let scannerInstance: scanner.Scanner
@@ -45,8 +51,8 @@ export async function run(): Promise<void> {
         '--exclude-rule',
         'generic.secrets.security.detected-private-key.detected-private-key' // Duplicate of secret scanning
       ],
-      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.84.1.tar.gz',
-      version: 'v1.84.1',
+      url: 'https://github.com/semgrep/semgrep/archive/refs/tags/v1.136.0.tar.gz',
+      version: 'v1.136.0',
       installType: scanner.InstallType.Pip
     }
   } else {

@@ -4,7 +4,8 @@
   "compilerOptions": {
     "module": "NodeNext",
     "moduleResolution": "NodeNext",
-    "outDir": "./dist"
+    "outDir": "./dist",
+    "isolatedModules": true
   },
   "exclude": ["__fixtures__", "__tests__", "coverage", "dist", "node_modules"],
   "include": ["src"]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -103,5 +103,3 @@ __tests__/runner/*

		# asdf
		.tool-versions

		.semgrepignore