forked from open-edge-platform/edge-ai-suites
-
Notifications
You must be signed in to change notification settings - Fork 0
36 lines (32 loc) · 1.09 KB
/
zizmor-scan.yaml
File metadata and controls
36 lines (32 loc) · 1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# This workflow scans repo with Zizmor (static analysis tool for GitHub Actions),
# comments PR and outputs results into GitHub security tab
name: Zizmor scan
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
# Run security checks every day at 2 AM UTC
- cron: "0 2 * * *"
workflow_dispatch:
permissions: {}
jobs:
zizmor-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # Needed to upload the results to code-scanning dashboard
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Run Zizmor scan
uses: open-edge-platform/geti-ci/actions/zizmor@3a4b81ea648711eb638b34757427cd3ef71d19f1
with:
scan-scope: ${{ github.event_name == 'pull_request' && 'changed' || 'all' }}
severity-level: ${{ github.event_name == 'pull_request' && 'HIGH' || 'LOW' }}
fail-on-findings: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}