Skip to content

Security Checks

Security Checks #206

name: Security Checks
on:
push:
pull_request:
schedule:
- cron: '0 0 * * 1'
jobs:
run-shellcheck:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Install all ShellCheck dependencies
continue-on-error: true
run: |
sudo apt-get install shellcheck
- name: Run ShellCheck on all Bash scripts
continue-on-error: true
run: |
shellcheck ./*.sh -S error > ./shellcheck.log &&
sleep 2
if grep --quiet "(error)" ./shellcheck.log; then
ls -la
echo
echo "WARNING! ShellCheck discovered serious problems."
echo
cat ./shellcheck.log
else
ls -la
echo
echo "ShellCheck did not discover any serious problems."
echo
shellcheck -V
fi
run-semgrep:
runs-on: ubuntu-latest
timeout-minutes: 60
container:
image: returntocorp/semgrep
if: (github.actor != 'dependabot[bot]')
steps:
- uses: actions/checkout@v4
- run: semgrep ci --exclude='*.html' --exclude='*.xml' --sarif --output=semgrep.sarif
continue-on-error: true
env:
SEMGREP_RULES: p/default
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()