From 71b812e4f599a0be00da52dfc644c8eb8e89f144 Mon Sep 17 00:00:00 2001 From: GeoDerp <18461782+GeoDerp@users.noreply.github.com> Date: Sun, 26 Apr 2026 10:52:35 +0930 Subject: [PATCH] feat: add SAST scanning workflow with Semgrep and OSV-Scanner --- .github/workflows/sast-scan.yml | 68 +++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 .github/workflows/sast-scan.yml diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml new file mode 100644 index 00000000000..f19752a9a18 --- /dev/null +++ b/.github/workflows/sast-scan.yml @@ -0,0 +1,68 @@ +name: SAST Scanning + +on: + pull_request: + branches: [ "main" ] + schedule: + # Run at 00:00 on Sunday (semi-routinely) + - cron: '0 0 * * 0' + push: + branches: [ "main" ] + +permissions: + contents: read + security-events: write + actions: read + +jobs: + semgrep: + name: Semgrep Source Code Scan + runs-on: ubuntu-24.04 + container: + image: semgrep/semgrep:1.66.0 + steps: + - name: Checkout repository + uses: actions/checkout@v4.1.2 + + - name: Run Semgrep + run: | + semgrep scan \ + --config="p/python" \ + --config="p/owasp-top-ten" \ + --config="p/cwe-top-25" \ + --config="p/security-audit" \ + --config="p/secrets" \ + --sarif --sarif-output=semgrep.sarif \ + . + continue-on-error: true + + - name: Upload Semgrep SARIF report + uses: github/codeql-action/upload-sarif@v3.25.0 + with: + sarif_file: semgrep.sarif + category: semgrep + + osv-scanner: + name: OSV-Scanner Dependency Scan + runs-on: ubuntu-24.04 + steps: + - name: Checkout repository + uses: actions/checkout@v4.1.2 + + - name: Run OSV-Scanner + uses: google/osv-scanner-action@v2.3.5 + continue-on-error: true + with: + + scan-args: |- + --min-severity=7.0 + --recursive + ./ + + - name: Upload OSV-Scanner SARIF + uses: github/codeql-action/upload-sarif@v3.25.0 + if: always() + with: + # The OSV action defaults to outputting "results.sarif" + sarif_file: results.sarif + category: osv-scanner \ No newline at end of file