semgrep-scan #7408
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name of Semgrep-Actions workflow | |
| name: semgrep-scan | |
| on: | |
| # Scan changed files in PRs (diff-aware scanning): | |
| pull_request: {} | |
| # Scan mainline branches and report all findings: | |
| push: | |
| branches: ["ci_dev", "ci_temporary", "main", "opensource_gsf"] | |
| schedule: | |
| - cron: '0 */12 * * *' | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| semgrep: | |
| name: Scan | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| options: --user root | |
| # Skip any PR created by dependabot to avoid permission issues: | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v3 | |
| - name: Install Semgrep | |
| run: | | |
| pip install semgrep | |
| semgrep --version | |
| # Period (.) to run scan in the current directory to avoid blocking findings in the future use --exclude=+BLOCKING | |
| - name: Run Scan - 1 (Default Ruleset) | |
| run: semgrep --config=p/default . | |
| - name: Run Scan - 2 (Ruleset for Python) | |
| run: semgrep --config=p/python . | |
| - name: Run Scan - 3 (Ruleset for Dockerfile) | |
| run: semgrep --config=p/dockerfile . | |
| - name: Run Scan - 4 (Ruleset CWE TOP 25) | |
| run: semgrep --config=p/cwe-top-25 . | |