security(semgrep): test run semgrep full

moscaale · moscaale · commit 2d5b35592dd6 · 2026-03-19T21:10:51.000+01:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -23,29 +23,26 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Run Semgrep (diff only)
-        run: semgrep ci --config auto --sarif --output semgrep.sarif
-        env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-      - uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: semgrep.sarif
+        run: semgrep ci --config auto
 
-  # Scan complet sur push main et releases (thorough)
   semgrep-full:
     name: Semgrep SAST (full)
-    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     container:
       image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v4
-      - name: Run Semgrep (full scan)
-        run: semgrep scan --config auto --sarif --output semgrep.sarif
-        #    👆 "scan" au lieu de "ci" = scan complet, pas de diff
-        env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-      - uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: semgrep.sarif
+      - name: Run Semgrep (WARNING severity)
+        run: |
+          semgrep scan \
+            --config auto \
+            --severity WARNING \
+          exit 0  # Ne jamais bloquer ce job
+
+      - name: Run Semgrep (ERROR severity only)
+        run: |
+          semgrep scan \
+            --config auto \
+            --severity ERROR \
+            --error
