chore: Add semgrep CI worflow + clean up codeql workflow (#240)

maxmilton · Aug 17, 2022 · ca2be6d · ca2be6d
1 parent eb435fa
commit ca2be6d
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,4 +1,4 @@
-name: CodeQL
+name: codeql
 on:
   push:
     branches: [master]
@@ -8,21 +8,16 @@ on:
     - cron: '28 6 * * 4'
 jobs:
   analyze:
-    name: Analyze
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+      - uses: actions/checkout@v3
+      - uses: github/codeql-action/init@v2
         with:
           languages: javascript
           queries: security-extended,security-and-quality
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+      - uses: github/codeql-action/autobuild@v2
+      - uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
@@ -0,0 +1,26 @@
+name: semgrep
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+    - cron: '28 6 * * 4'
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci --sarif --output=semgrep.sarif || true
+        env:
+          SEMGREP_RULES: p/default
+      - uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: semgrep.sarif