Skip to content

chore(deps): update actions/checkout action to v3.6.0 #852

chore(deps): update actions/checkout action to v3.6.0

chore(deps): update actions/checkout action to v3.6.0 #852

# Copyright 2020 Wayback Archiver. All rights reserved.
# Use of this source code is governed by the MIT license
# that can be found in the LICENSE file.
name: Semgrep
on:
push:
branches:
- '**'
pull_request:
branches:
- '**'
types: [ opened, synchronize, reopened ]
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
permissions:
contents: read
jobs:
semgrep:
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
container:
image: returntocorp/semgrep:sha-293a57f
env:
SEMGREP_SEND_METRICS: 'off'
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
api.github.com:443
semgrep.dev:443
- name: Check out code base
if: github.event_name == 'push'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
fetch-depth: 0
persist-credentials: false
- name: Check out code base
if: github.event_name == 'pull_request'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
fetch-depth: 0
persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- name: Run Bug Scan
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-bug-scan'
- name: Run CI
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-ci'
- name: Run Best Practices
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-best-practices'
- name: Run Security Audit
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-security-audit'
- name: Run GoSec
run: semgrep ci
env:
SEMGREP_RULES: 'p/gosec'
- name: Run insecure-transport Detecting
run: semgrep ci
env:
SEMGREP_RULES: 'p/insecure-transport'