35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
# Name of this GitHub Actions workflow.
|
|
name: Semgrep OSS scan
|
|
|
|
on:
|
|
# Scan changed files in PRs (diff-aware scanning):
|
|
pull_request: {}
|
|
# Scan on-demand through GitHub Actions interface:
|
|
workflow_dispatch: {}
|
|
# Scan mainline branches and report all findings:
|
|
push:
|
|
branches: ["master", "main"]
|
|
# Schedule the CI job (this method uses cron syntax):
|
|
schedule:
|
|
- cron: '25 19 * * *' # Sets Semgrep to scan every day at 19:25 UTC.
|
|
# It is recommended to change the schedule to a random time.
|
|
|
|
jobs:
|
|
semgrep:
|
|
# User definable name of this GitHub Actions job.
|
|
name: semgrep-oss/scan
|
|
# If you are self-hosting, change the following `runs-on` value:
|
|
runs-on: ubuntu-latest
|
|
|
|
container:
|
|
# A Docker image with Semgrep installed. Do not change this.
|
|
image: semgrep/semgrep
|
|
|
|
# Skip any PR created by dependabot to avoid permission issues:
|
|
if: (github.actor != 'dependabot[bot]')
|
|
|
|
steps:
|
|
# Fetch project source with GitHub Actions Checkout.
|
|
- uses: actions/checkout@v3
|
|
# Run the "semgrep scan" command on the command line of the docker image.
|
|
- run: semgrep scan --config auto |