Skip to content

ci(deps): bump firestoned/github-actions/rust/security-scan from 1.3.6 to 1.3.7 #171

ci(deps): bump firestoned/github-actions/rust/security-scan from 1.3.6 to 1.3.7

ci(deps): bump firestoned/github-actions/rust/security-scan from 1.3.6 to 1.3.7 #171

Workflow file for this run

# Copyright (c) 2025 Erick Bourgeois, firestoned
# SPDX-License-Identifier: Apache-2.0
#
# SAST (Semgrep OSS) — always-on. Runs on every PR and every push to main
# with no `paths:` filter so Scorecard's SAST check records every commit
# as covered (the path-gated Semgrep job in build.yaml was producing
# uncovered-commit events on dependabot and docs-only PRs).
#
# Runs the community Rust / security-audit / secrets / OWASP Top Ten
# rulesets and uploads SARIF to the Code Scanning dashboard under the
# `semgrep` category. No token required — this is the free OSS Community
# Edition.
name: SAST
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
jobs:
semgrep:
name: 🔎 SAST (Semgrep)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
container:
image: returntocorp/semgrep
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Run Semgrep
run: |
semgrep scan \
--config=p/rust \
--config=p/security-audit \
--config=p/secrets \
--config=p/owasp-top-ten \
--sarif --output=semgrep.sarif \
--metrics=off \
--error || true
- name: Upload Semgrep SARIF to Code Scanning
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: semgrep.sarif
category: semgrep