Skip to content

Release 2026-07-02 #2 (#2459) #3197

Release 2026-07-02 #2 (#2459)

Release 2026-07-02 #2 (#2459) #3197

name: Semgrep
on:
# Scan changed files in PRs, block on new issues only (existing issues ignored)
pull_request:
push:
branches: ["dev", "master"]
schedule:
- cron: '23 20 * * 1'
# Manually trigger the workflow
workflow_dispatch:
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
semgrep:
name: Scan
permissions:
contents: read # to check out the repository
security-events: write # to upload SARIF results to the code scanning dashboard
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep@sha256:06938c1f365d3f67b8cedd8bc117607ae64253f88a0e768e9da9408548927dd6 # latest
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- run: semgrep ci --sarif > semgrep.sarif
env:
SEMGREP_RULES: >- # more at semgrep.dev/explore
p/security-audit
p/secrets
p/owasp-top-ten
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: semgrep.sarif
if: always()