Skip to content

Commit

Permalink
[IDP-948] Use reusable Semgrep workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
heqianwang committed Mar 7, 2024
1 parent 1dd65cf commit 35e0f56
Showing 1 changed file with 3 additions and 39 deletions.
42 changes: 3 additions & 39 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,46 +5,10 @@ on:
branches: ["main", "master"]
workflow_dispatch: {}
schedule:
- cron: "58 20 * * 6"
- cron: "10 22 * * 6"

jobs:
semgrep:
runs-on: ubuntu-latest
call-workflow-semgrep:
permissions:
security-events: write

container:
image: returntocorp/semgrep

steps:
- name: Checkout all commits and tags
uses: actions/checkout@v4
if: ${{ github.event_name == 'pull_request' }}
with:
fetch-depth: 0

- name: Checkout single commit
uses: actions/checkout@v4
if: ${{ github.event_name != 'pull_request' }}

- name: Pull request scan
if: ${{ github.event_name == 'pull_request' }}
run: semgrep scan --config=auto --verbose --time --error --baseline-commit ${{ github.event.pull_request.base.sha }}

- name: Full scan
if: ${{ github.event_name != 'pull_request' }}
run: semgrep scan --config=auto --verbose --time --sarif --output report.sarif

- name: Save report as pipeline artifact
if: ${{ github.event_name != 'pull_request' }}
uses: actions/upload-artifact@v4
with:
name: report.sarif
path: report.sarif

- name: Publish code scanning alerts
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: report.sarif
category: semgrep
uses: gsoft-inc/wl-reusable-workflows/.github/workflows/reusable-semgrep-workflow.yml@main

0 comments on commit 35e0f56

Please sign in to comment.