diff --git a/static-analysis/semgrep/README.md b/static-analysis/semgrep/README.md index f1b4a51..9ae4858 100644 --- a/static-analysis/semgrep/README.md +++ b/static-analysis/semgrep/README.md @@ -13,17 +13,17 @@ GitHub Action that scans code changes being made and posts security findings in ```yaml - uses: @ with: - checkout-repo: - # Perform checkout as first step - # - # Required: false - # Default: true - semgrep-app-token: - # SemGrep API token to be added to repo that allows pulling the latest rule config from ruleboard in Semgrep UI + # Semgrep API token to pull the latest rule configuration from Semgrep's ruleboard # # Required: true # Default: "" + + checkout-repo: + # Perform checkout as the first step + # + # Required: false + # Default: true ``` diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/semgrep/action.yaml index 548d04b..a4044e0 100644 --- a/static-analysis/semgrep/action.yaml +++ b/static-analysis/semgrep/action.yaml @@ -1,19 +1,17 @@ name: Run static code analysis description: GitHub Action that scans code changes being made and posts security findings in form of comments on pull requests inputs: + semgrep-app-token: + required: true + description: Semgrep API token to pull the latest rule configuration from Semgrep's ruleboard checkout-repo: - description: Perform checkout as first step + description: Perform checkout as the first step required: false default: "true" - semgrep-app-token: - required: true - description: SemGrep API token to be added to repo that allows pulling the latest rule config from ruleboard in Semgrep UI + runs: - using: composite - image: semgrep/semgrep:latest-nonroot - steps: - - name: Checkout - if: ${{ inputs.checkout-repo == 'true' }} - uses: actions/checkout@v4 - - run: semgrep ci - shell: bash + using: docker + image: docker://semgrep/semgrep:latest-nonroot + entrypoint: semgrep + args: + - ci