|
29 | 29 | # Code Scanning, packages:write for GHCR push, attestations:write for |
30 | 30 | # actions/attest-build-provenance, contents:write for release-asset upload |
31 | 31 | # — declare them explicitly at job level. See the docker / attest / |
32 | | -# build-vex / semgrep-sast / iac-scan / grype / sign-artifacts / |
33 | | -# slsa-provenance / upload-release-assets jobs below. |
| 32 | +# build-vex / iac-scan / grype / sign-artifacts / slsa-provenance / |
| 33 | +# upload-release-assets jobs below. (Semgrep SAST runs from sast.yaml.) |
34 | 34 | permissions: |
35 | 35 | contents: read |
36 | 36 |
|
@@ -648,43 +648,9 @@ jobs: |
648 | 648 | if: github.event_name == 'pull_request' |
649 | 649 | run: make gitleaks |
650 | 650 |
|
651 | | - # ───────────────────────────────────────────────────────────────────────────── |
652 | | - # SAST (Semgrep OSS) — PR + push to main. |
653 | | - # Runs the community Rust / security-audit / secrets / OWASP Top Ten rulesets |
654 | | - # and uploads SARIF to the Code Scanning dashboard. No token required — this |
655 | | - # is the free OSS Community Edition; findings appear under the `semgrep` tool |
656 | | - # category in the Security tab. |
657 | | - # ───────────────────────────────────────────────────────────────────────────── |
658 | | - semgrep-sast: |
659 | | - name: 🔎 SAST (Semgrep) |
660 | | - if: github.event_name != 'release' |
661 | | - runs-on: ubuntu-latest |
662 | | - needs: [verify-commits] |
663 | | - permissions: |
664 | | - contents: read |
665 | | - security-events: write |
666 | | - container: |
667 | | - image: returntocorp/semgrep |
668 | | - steps: |
669 | | - - name: Checkout code |
670 | | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
671 | | - |
672 | | - - name: Run Semgrep |
673 | | - run: | |
674 | | - semgrep scan \ |
675 | | - --config=p/rust \ |
676 | | - --config=p/security-audit \ |
677 | | - --config=p/secrets \ |
678 | | - --config=p/owasp-top-ten \ |
679 | | - --sarif --output=semgrep.sarif \ |
680 | | - --metrics=off \ |
681 | | - --error || true |
682 | | -
|
683 | | - - name: Upload Semgrep SARIF to Code Scanning |
684 | | - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 |
685 | | - with: |
686 | | - sarif_file: semgrep.sarif |
687 | | - category: semgrep |
| 651 | + # Semgrep SAST moved to .github/workflows/sast.yaml so it runs on every |
| 652 | + # PR and push with no `paths:` filter (Scorecard's SAST check records |
| 653 | + # skipped commits as uncovered otherwise). |
688 | 654 |
|
689 | 655 | # ───────────────────────────────────────────────────────────────────────────── |
690 | 656 | # IaC security scan (Trivy config) — PR + push to main. |
|
0 commit comments