name: Semgrep SAST

on:
  push:
    branches: ['**']
  pull_request:
    branches: [main]
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

jobs:
  semgrep:
    name: Semgrep security scan
    runs-on: ubuntu-latest

    container:
      image: semgrep/semgrep:1.79

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Semgrep
        run: |
          semgrep scan \
            --config p/security-audit \
            --config p/secrets \
            --config p/owasp-top-ten \
            --config p/javascript \
            --config p/typescript \
            --sarif \
            --output=semgrep.sarif \
            --metrics=off

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: semgrep.sarif