Skip to content

🔎 Semgrep: Static Code Analysis #38

🔎 Semgrep: Static Code Analysis

🔎 Semgrep: Static Code Analysis #38

Workflow file for this run

name: '🔎 Semgrep: Static Code Analysis'
on:
pull_request:
paths:
- 'src/**'
- '!src/qodana.yml'
- '.github/workflows/semgrep.yml'
types: [opened, synchronize, reopened]
push:
branches:
- 'master'
paths:
- 'src/**'
- '!src/qodana.yml'
- '.github/workflows/semgrep.yml'
schedule:
- cron: '38 7 * * 0' # Random time
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
semgrep:
# Skip push event by dependabot to avoid permission issues.
if: ${{ github.actor != 'dependabot[bot]' || github.event_name != 'push' }}
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
steps:
- name: 📥 checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: 🔬 Semgrep Scan
run: semgrep ci --sarif > semgrep.sarif
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: 📊 Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: ${{ always() }}