Skip to content

chore(deps): update fossas/fossa-action action to v1.4.0 #862

chore(deps): update fossas/fossa-action action to v1.4.0

chore(deps): update fossas/fossa-action action to v1.4.0 #862

# Copyright 2020 Wayback Archiver. All rights reserved.
# Use of this source code is governed by the MIT license
# that can be found in the LICENSE file.
name: Semgrep
on:
push:
branches:
- '**'
pull_request:
branches:
- '**'
types: [ opened, synchronize, reopened ]
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
permissions:
contents: read
jobs:
semgrep:
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
container:
image: returntocorp/semgrep:sha-293a57f
env:
SEMGREP_SEND_METRICS: 'off'
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
api.github.com:443
semgrep.dev:443
- name: Check out code base
if: github.event_name == 'push'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
fetch-depth: 0
persist-credentials: false
- name: Check out code base
if: github.event_name == 'pull_request'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
fetch-depth: 0
persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- name: Run Bug Scan
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-bug-scan'
- name: Run CI
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-ci'
- name: Run Best Practices
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-best-practices'
- name: Run Security Audit
run: semgrep ci
env:
SEMGREP_RULES: 'p/r2c-security-audit'
- name: Run GoSec
run: semgrep ci
env:
SEMGREP_RULES: 'p/gosec'
- name: Run insecure-transport Detecting
run: semgrep ci
env:
SEMGREP_RULES: 'p/insecure-transport'