-
Notifications
You must be signed in to change notification settings - Fork 0
42 lines (39 loc) · 1.04 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Semgrep scan
on:
workflow_dispatch:
pull_request:
env:
configs: "rules/ p/ci p/security-audit p/owasp-top-ten"
permissions:
contents: read
pull-requests: write
jobs:
semgrep:
name: Run Semgrep
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep:1.86
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch the entire history
- name: Mark the Git repository as safe
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Fetch all branches and tags
run: |
git fetch --all
git fetch --tags
- name: run semgrep
id: run_semgrep
env:
SEMGREP_RULES: ${{ env.configs }}
SEMGREP_ENABLE_VERSION_CHECK: 0
SEMGREP_SEND_METRICS: off
shell: bash
run: |
set +o pipefail
semgrep scan . --gitlab-sast -o /tmp/semgrep.json
- name: Show Semgrep report
if: success() || failure()
run: cat /tmp/semgrep.json