2.11.7a: Add action to scan with semgrep #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name of this GitHub Actions workflow. | |
| name: Scan Application Code with Semgrep SAST | |
| on: | |
| # Trigger the workflow on the following events: | |
| # Scan changed files in Pull Requests (diff-aware scanning). | |
| pull_request: {} | |
| # Trigger the workflow on-demand through the GitHub Actions interface. | |
| workflow_dispatch: {} | |
| # Scan mainline branches (main and development) and report all findings. | |
| push: | |
| branches: ["main", "development"] | |
| jobs: | |
| semgrep: | |
| # User definable name of this GitHub Actions job. | |
| name: Scan Application Code with Semgrep SAST | |
| # Specify the runner environment. Use the latest version of Ubuntu. | |
| runs-on: ubuntu-latest | |
| # Define permissions for specific GitHub Actions. | |
| permissions: | |
| actions: read # Permission to read GitHub Actions. | |
| contents: read # Permission to read repository contents. | |
| security-events: write # Permission to write security events. | |
| container: | |
| # Use a Docker image with Semgrep installed. Do not change this. | |
| image: returntocorp/semgrep | |
| # Skip any Pull Request created by the Dependabot to avoid permission issues. | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| # Step: Checkout code | |
| # Action to check out the code from the repository. | |
| # This step fetches the codebase from the GitHub repository. | |
| - name: Run Semgrep XSS Scan | |
| run: semgrep --config p/xss --sarif --output=semgrep-xss-results.sarif | |
| continue-on-error: true | |
| # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration. | |
| # Save the results in SARIF format to semgrep-xss-results.sarif. | |
| # Continue the workflow even if there are errors during the scan. | |
| - name: Run Semgrep High-Confidence SAST Scan | |
| run: semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif | |
| continue-on-error: true | |
| # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration. | |
| # Save the results in SARIF format to semgrep-xss-results.sarif. | |
| # Continue the workflow even if there are errors during the scan. | |
| - name: Upload XSS SARIF file for GitHub Advanced Security Dashboard | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: semgrep-xss-results.sarif | |
| category: "Semgrep XSS Scan" | |
| if: always() | |
| # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard. | |
| - name: Upload CI SARIF file for GitHub Advanced Security Dashboard | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: semgrep-ci-results.sarif | |
| category: "Semgrep High-Confidence SAST Scan" | |
| if: always() | |
| # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard. |