semgrep.yml

# Name of this GitHub Actions workflow.
name: Semgrep

on:
  # Scan changed files in PRs (diff-aware scanning):
  pull_request: {}
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Scan mainline branches and report all findings:
  push:
    branches: ["master", "main"]

jobs:
  semgrep_scan:
    # User definable name of this GitHub Actions job.
    name: semgrep/ci
    # If you are self-hosting, change the following `runs-on` value:
    runs-on: ubuntu-latest
    container:
      # A Docker image with Semgrep installed. Do not change this.
      image: returntocorp/semgrep
    # Skip any PR created by dependabot to avoid permission issues:
    if: (github.actor != 'dependabot[bot]')
    permissions:
      # required for all workflows
      security-events: write
      # only required for workflows in private repositories
      actions: read
      contents: read

    steps:
      # Get current date
      - name: Set current date as env variable
        run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV

      # Fetch project source with GitHub Actions Checkout.
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Perform Semgrep Analysis
      # @NOTE: This is the actual semgrep command to scan your code.
      # Modify the --config option to 'r/all' to scan using all rules,
      # or use multiple flags to specify particular rules, such as
      # --config r/all --config custom/rules
        run: semgrep scan -q --sarif --config auto . > semgrep-results.sarif

      # upload the results 
      - name: Save SARIF results as artifact
        uses: actions/upload-artifact@v4
        with:
          name: semgrep-scan-results-${{ env.NOW }}
          path: semgrep-results.sarif
      
      - name: Download SARIF results
        uses: actions/download-artifact@v4
        with:
            name: semgrep-scan-results-${{ env.NOW }}