43 lines
873 B
YAML
43 lines
873 B
YAML
name: Semgrep SAST
|
|
|
|
on:
|
|
push:
|
|
branches: ['**']
|
|
pull_request:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
semgrep:
|
|
name: Semgrep security scan
|
|
runs-on: ubuntu-latest
|
|
|
|
container:
|
|
image: semgrep/semgrep:1.79
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Run Semgrep
|
|
run: |
|
|
semgrep scan \
|
|
--config p/security-audit \
|
|
--config p/secrets \
|
|
--config p/owasp-top-ten \
|
|
--config p/javascript \
|
|
--config p/typescript \
|
|
--sarif \
|
|
--output=semgrep.sarif \
|
|
--metrics=off
|
|
|
|
- name: Upload SARIF to GitHub Security
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: semgrep.sarif
|