Semgrep #99
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This GitHub Actions workflow is configured to run Semgrep, a static analysis tool, on the repository. | |
| # The workflow is triggered on the following events: | |
| # - Manually via the workflow_dispatch event. | |
| # - On pull requests. | |
| # - On pushes to the 'main' and 'master' branches, specifically when changes are made to the '.github/workflows/semgrep.yml' file. | |
| # - On a scheduled basis at 05:49 UTC every day to avoid load spikes at 00:00. | |
| # The workflow is named "Semgrep" and requires read permissions for repository contents. | |
| # The workflow defines a single job named "semgrep/ci" which runs on an Ubuntu 20.04 runner. | |
| # The job uses a Docker container with the 'returntocorp/semgrep' image. | |
| # The SEMGREP_APP_TOKEN is provided as an environment variable from the repository secrets. | |
| # The job consists of the following steps: | |
| # 1. Harden Runner: Uses the 'step-security/harden-runner' action to audit egress policies. | |
| # 2. Checkout: Uses the 'actions/checkout' action to check out the repository code. | |
| # 3. Run Semgrep: Executes the 'semgrep ci' command to run the Semgrep analysis. | |
| on: | |
| workflow_dispatch: {} | |
| pull_request: {} | |
| push: | |
| branches: | |
| - main | |
| - master | |
| paths: | |
| - .github/workflows/semgrep.yml | |
| schedule: | |
| # random HH:MM to avoid a load spike on GitHub Actions at 00:00 | |
| - cron: 49 5 * * * # Chosen to avoid a load spike on GitHub Actions at 00:00 | |
| name: Semgrep | |
| permissions: | |
| # The 'contents: read' permission is required to allow the workflow to read the repository contents. | |
| contents: read | |
| jobs: | |
| semgrep: | |
| name: semgrep/ci | |
| runs-on: ubuntu-20.04 | |
| env: | |
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: semgrep ci |