commercetools-sdk-java-v2/.github/workflows/semgrep.yml at main · commercetools/commercetools-sdk-java-v2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Name of this GitHub Actions workflow.
name: Semgrep Scan for CodeQL

on:
    workflow_dispatch:
    schedule:
        - cron: '0 5 * * 1'

permissions:
    # required for all workflows
    security-events: write
    # only required for workflows in private repositories
    actions: read
    contents: read

jobs:
    semgrep:
        # User definable name of this GitHub Actions job.
        name: semgrep
        # If you are self-hosting, change the following `runs-on` value:
        runs-on: ubuntu-latest

        container:
            # A Docker image with Semgrep installed. Do not change this.
            image: returntocorp/semgrep

        # Skip any PR created by dependabot to avoid permission issues:
        if: (github.actor != 'dependabot[bot]')

        steps:
            - name: Checkout
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
              with:
                  persist-credentials: false

            - name: Run Semgrep
              run: semgrep scan --sarif --output=semgrep.sarif --config=p/auto --config=p/dockerfile --config=p/typescript --config=p/javascript --config=p/java --metrics=off --verbose
            - name: Upload SARIF file for GitHub Advanced Security Dashboard
              uses: github/codeql-action/upload-sarif@39edc492dbe16b1465b0cafca41432d857bdb31a # v3.29.1
              with:
                  sarif_file: semgrep.sarif
              if: always()