-
Notifications
You must be signed in to change notification settings - Fork 95
34 lines (29 loc) · 1.06 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: Semgrep Security Scan
on:
pull_request:
branches: [ main ]
merge_group: # run if triggered as part of a merge queue
push:
branches: [ main ]
schedule:
- cron: '0 1 * * *'
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
permissions:
contents: read
checks: write
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep@sha256:aebb747812ebd96b674928c63046730432ad06961a56f5b44fa01a29b3a9487a #v1.23.0
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci
env:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable - more at semgrep.dev/explore.
SEMGREP_RULES: p/default p/golang p/github-actions p/docker