Skip to content

🔎 Semgrep: Static Code Analysis #145

🔎 Semgrep: Static Code Analysis

🔎 Semgrep: Static Code Analysis #145

Workflow file for this run

name: '🔎 Semgrep: Static Code Analysis'
on:
pull_request:
paths:
- 'src/**'
- '!src/qodana.yml'
- '.github/workflows/semgrep.yml'
types: [opened, synchronize, reopened]
push:
branches:
- 'master'
paths:
- 'src/**'
- '!src/qodana.yml'
- '.github/workflows/semgrep.yml'
schedule:
- cron: '38 7 * * 0' # Random time
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
scan:
# Skip any PR created by dependabot to avoid permission issues:
if: ${{ github.actor != 'dependabot[bot]' }}
runs-on: ubuntu-latest
permissions:
contents: write
checks: write
security-events: write
container:
# A Docker image with Semgrep installed. Do not change this.
image: semgrep/semgrep
steps:
- name: 📥 checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: 🔬 semgrep scan
run: semgrep ci --sarif > semgrep.sarif
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: 📊 upload sarif file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: ${{ always() }}