generated from google/new-project
-
Notifications
You must be signed in to change notification settings - Fork 0
39 lines (39 loc) · 1.76 KB
/
action_scanning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
### Required actions to scan GitHub action workflows for security issues.
name: 'Scan GitHub Action workflows files for security issues'
on:
pull_request: {}
permissions:
contents: 'read'
security-events: 'write'
actions: 'read'
jobs:
semgrep:
name: 'semgrep-oss/scan'
runs-on: 'ubuntu-latest'
container:
image: 'index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89' # ratchet:semgrep/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
- name: 'Checkout Code'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
- name: 'Checkout Workflow Config'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
env:
GH_REPO_OWNER: ${{ github.repository_owner }}
with:
repository: 'google/github-team'
path: action_scanning
- name: 'Run Actions semgrep scan'
run: 'semgrep scan --sarif --config action_scanning/semgrep-rules --config "p/github-actions"
>> semgrep-results-actions.sarif'
- name: 'Save Actions SARIF results as artifact'
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
with:
name: 'semgrep-scan-results-actions'
path: 'semgrep-results-actions.sarif'
- name: 'Upload Actions SARIF result to the GitHub Security Dashboard'
uses: 'github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841' # ratchet:github/codeql-action/upload-sarif@v3
with:
sarif_file: 'semgrep-results-actions.sarif'
if: always()