generated from amazon-archives/__template_Apache-2.0
-
Notifications
You must be signed in to change notification settings - Fork 31
39 lines (32 loc) · 1016 Bytes
/
semgrep-analysis.yml
File metadata and controls
39 lines (32 loc) · 1016 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Semgrep
on:
# Scan changed files in PRs, block on new issues only (existing issues ignored)
pull_request:
push:
branches: ["dev", "main"]
schedule:
- cron: '23 20 * * 1'
permissions:
contents: read
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
- run: semgrep scan --sarif --output=semgrep.sarif
env:
SEMGREP_RULES: >- # more at semgrep.dev/explore
p/security-audit
p/secrets
p/owasp-top-ten
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 #v4.31.10
with:
sarif_file: semgrep.sarif
if: always()