.github/workflows/secure.yml

---
name: Secure

on:
  pull_request:
    branches: ['master']
  merge_group:

jobs:
  # Sample GitHub Actions:
  # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
  semgrep:
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - run: semgrep scan --sarif --output=semgrep.sarif --error
        env:
          SEMGREP_RULES: >-
            p/bandit
            p/command-injection
            p/comment
            p/cwe-top-25
            p/default
            p/gitlab
            p/gitlab-bandit
            p/gitleaks
            p/insecure-transport
            p/owasp-top-ten
            p/python
            p/r2c-best-practices
            p/r2c-bug-scan
            p/r2c-security-audit
            p/secrets
            p/security-audit
            p/xss
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif
        if: always()

  # Samples GitHub Actions:
  # https://github.com/aquasecurity/trivy-action
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/trivy-action
        with:
          scan-type: 'fs'
          format: 'sarif'
          output: 'trivy.sarif'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy.sarif
        if: always()