AccessibilityDevTools/.github/workflows/Semgrep.yml at main · browserstack/AccessibilityDevTools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Name of this GitHub Actions workflow.
name: Semgrep

on:
  # Scan changed files in PRs (diff-aware scanning):
  # The branches below must be a subset of the branches above
  pull_request:
    branches: ["master", "main"]
  push:
    branches: ["master", "main"]
  schedule:
    - cron: '0 6 * * *'


permissions:
  contents: read

jobs:
  semgrep:
    # User definable name of this GitHub Actions job.
    permissions:
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
    name: semgrep/ci
    # If you are self-hosting, change the following `runs-on` value:
    runs-on: ubuntu-latest

    container:
      # Pinned by digest for supply-chain integrity (DEVA11Y-476).
      # To update: docker manifest inspect returntocorp/semgrep:latest
      image: returntocorp/semgrep@sha256:f682953ce85e3725f4a4dd94bd7ad13e570bb6b2c7a8cf7c6e38a9eac89239b2

    # Skip any PR created by dependabot to avoid permission issues:
    if: (github.actor != 'dependabot[bot]')

    steps:
      # Fetch project source with GitHub Actions Checkout.
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      # Run the "semgrep ci" command on the command line of the docker image.
      - run: semgrep ci --sarif --output=semgrep.sarif
        env:
            # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
            SEMGREP_RULES: p/default # more at semgrep.dev/explore

      - name: Upload SARIF file for GitHub Advanced Security Dashboard
        uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
        with:
          sarif_file: semgrep.sarif
        if: always()