fix(workflow): update security check (#32)

* update security check

* add container

Author: mohit23x

.github/workflows/security.yml

@@ -1,4 +1,4 @@
-name: SecurityChecks
+name: Security Checks
 on:
   workflow_dispatch:
   pull_request: {}
@@ -8,19 +8,21 @@ on:
     - cron: "30 20 * * *"
 jobs:
   semgrep:
+    if: (github.actor != 'dependabot[bot]')
+    permissions: write-all
     name: Scan
-    runs-on: [ubuntu-latest] # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
+    runs-on: ubuntu-latest # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
+    container:
+      image: returntocorp/semgrep
     steps:
-      - uses: actions/checkout@v2
-      - uses: returntocorp/semgrep-action@v1
-        with:
-          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
-          publishDeployment: 339
+      - uses: actions/checkout@v3
+      - run: semgrep ci
         env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   workflow_status:
-    runs-on: [ubuntu-latest] # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
+    runs-on: ubuntu-latest # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
     name: Update Status Check
     needs: [semgrep]
     if: always()
@@ -29,7 +31,7 @@ jobs:
     steps:
       - name: Set github commit id
         run: |
-          if [ "${{ github.event_name }}" = "push" ] || [ "${{ github.event_name }}" = "schedule" ]; then
+          if [ "${{ github.event_name }}" = "push" ] || [ "${{ github.event_name }}" = "schedule" ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV
           fi
           exit 0