Merge pull request #855 from commercetools/semgrep

jenschude · web-flow · commit dcc80f7d2ccf · 2025-03-20T13:59:25.000+01:00
add semgrep workflow
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,42 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep Scan for CodeQL
+
+on:
+    workflow_dispatch:
+    schedule:
+        - cron: '0 5 * * 1'
+
+permissions:
+    # required for all workflows
+    security-events: write
+    # only required for workflows in private repositories
+    actions: read
+    contents: read
+
+jobs:
+    semgrep:
+        # User definable name of this GitHub Actions job.
+        name: semgrep
+        # If you are self-hosting, change the following `runs-on` value:
+        runs-on: ubuntu-latest
+
+        container:
+            # A Docker image with Semgrep installed. Do not change this.
+            image: returntocorp/semgrep
+
+        # Skip any PR created by dependabot to avoid permission issues:
+        if: (github.actor != 'dependabot[bot]')
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+              with:
+                  persist-credentials: false
+
+            - name: Run Semgrep
+              run: semgrep scan --sarif --output=semgrep.sarif --config=p/auto --config=p/dockerfile --config=p/typescript --config=p/javascript --config=p/java --metrics=off --verbose
+            - name: Upload SARIF file for GitHub Advanced Security Dashboard
+              uses: github/codeql-action/upload-sarif@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # CodeQL Bundle v2.16.1
+              with:
+                  sarif_file: semgrep.sarif
+              if: always()
