From 35e0f5633e7f9ee2083eef067b587a65784e2991 Mon Sep 17 00:00:00 2001 From: He Qian Wang Date: Thu, 7 Mar 2024 12:28:07 -0500 Subject: [PATCH] [IDP-948] Use reusable Semgrep workflow --- .github/workflows/semgrep.yml | 42 +++-------------------------------- 1 file changed, 3 insertions(+), 39 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index ee7aa95..0b1d0af 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -5,46 +5,10 @@ on: branches: ["main", "master"] workflow_dispatch: {} schedule: - - cron: "58 20 * * 6" + - cron: "10 22 * * 6" jobs: - semgrep: - runs-on: ubuntu-latest + call-workflow-semgrep: permissions: security-events: write - - container: - image: returntocorp/semgrep - - steps: - - name: Checkout all commits and tags - uses: actions/checkout@v4 - if: ${{ github.event_name == 'pull_request' }} - with: - fetch-depth: 0 - - - name: Checkout single commit - uses: actions/checkout@v4 - if: ${{ github.event_name != 'pull_request' }} - - - name: Pull request scan - if: ${{ github.event_name == 'pull_request' }} - run: semgrep scan --config=auto --verbose --time --error --baseline-commit ${{ github.event.pull_request.base.sha }} - - - name: Full scan - if: ${{ github.event_name != 'pull_request' }} - run: semgrep scan --config=auto --verbose --time --sarif --output report.sarif - - - name: Save report as pipeline artifact - if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@v4 - with: - name: report.sarif - path: report.sarif - - - name: Publish code scanning alerts - if: ${{ github.event_name != 'pull_request' }} - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: report.sarif - category: semgrep + uses: gsoft-inc/wl-reusable-workflows/.github/workflows/reusable-semgrep-workflow.yml@main