Skip to content

ci(deps): bump the actions-routine group with 2 updates #83

ci(deps): bump the actions-routine group with 2 updates

ci(deps): bump the actions-routine group with 2 updates #83

Workflow file for this run

# Copyright (c) 2025 Erick Bourgeois, firestoned
# SPDX-License-Identifier: Apache-2.0
#
# SAST (Semgrep OSS) — always-on. Runs on every PR and every push to main
# with no `paths:` filter so Scorecard's SAST check records every commit
# as covered (the path-gated Semgrep job in build.yaml was producing
# uncovered-commit events on dependabot and docs-only PRs).
#
# Runs the community Rust / security-audit / secrets / OWASP Top Ten
# rulesets and uploads SARIF to the Code Scanning dashboard under the
# `semgrep` category. No token required — this is the free OSS Community
# Edition.
name: SAST
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
jobs:
semgrep:
name: 🔎 SAST (Semgrep)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
container:
image: returntocorp/semgrep
steps:
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Run Semgrep
run: |
semgrep scan \
--config=p/rust \
--config=p/security-audit \
--config=p/secrets \
--config=p/owasp-top-ten \
--sarif --output=semgrep.sarif \
--metrics=off \
--error || true
- name: Upload Semgrep SARIF to Code Scanning
uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
with:
sarif_file: semgrep.sarif
category: semgrep