Skip to content

Semgrep

Semgrep #21

Workflow file for this run

name: Semgrep
on:
workflow_dispatch: {}
schedule:
- cron: "30 0 1 * *" # scheduled for 00:30 UTC on both the 1st of the month
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source
- uses: actions/checkout@v3
- name: semgrep-run
id: semgrep-run
run: |
touch output.log
semgrep ci 2>&1 | tee output.log
env:
# Select rules for your scan with one of these two options.
# Option 1: set hard-coded rulesets
SEMGREP_RULES: >- # more at semgrep.dev/r
p/security-audit
p/secrets
p/ci
p/dockerfile
p/javascript
p/flask
p/python
- name: upload-logs
if: always()
uses: actions/upload-artifact@v3
with:
name: output.log
path: output.log
retention-days: 1