2.11.7a: Add action to scan with semgrep

.github/workflows/scan-with-semgrep.yml

@@ -2,11 +2,15 @@
 name: Scan Application Code with Semgrep SAST
 
 on:
-  # Scan changed files in PRs (diff-aware scanning):
+  # Trigger the workflow on the following events:
+
+  # Scan changed files in Pull Requests (diff-aware scanning).
   pull_request: {}
-  # Scan on-demand through GitHub Actions interface:
+
+  # Trigger the workflow on-demand through the GitHub Actions interface.
   workflow_dispatch: {}
-  # Scan mainline branches and report all findings:
+
+  # Scan mainline branches (main and development) and report all findings.
   push:
     branches: ["main", "development"]
 
@@ -15,36 +19,55 @@ jobs:
     # User definable name of this GitHub Actions job.
     name: Scan Application Code with Semgrep SAST
 
-    # If you are self-hosting, change the following `runs-on` value: 
+    # Specify the runner environment. Use the latest version of Ubuntu.
     runs-on: ubuntu-latest
 
-    # Define permissions for specific actions
+    # Define permissions for specific GitHub Actions.
     permissions:
-        actions: read
-        contents: read
-        security-events: write
+        actions: read          # Permission to read GitHub Actions.
+        contents: read         # Permission to read repository contents.
+        security-events: write # Permission to write security events.
 
     container:
-      # A Docker image with Semgrep installed. Do not change this.
+      # Use a Docker image with Semgrep installed. Do not change this.
       image: returntocorp/semgrep
 
-    # Skip any PR created by dependabot to avoid permission issues:
+    # Skip any Pull Request created by the Dependabot to avoid permission issues.
     if: (github.actor != 'dependabot[bot]')
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         # Step: Checkout code
-        # Action to check out the code from the repository
-        # This step fetches the codebase from the GitHub repository
+        # Action to check out the code from the repository.
+        # This step fetches the codebase from the GitHub repository.
+
+      - name: Run Semgrep XSS Scan
+        run: semgrep --config p/xss --sarif --output=semgrep-xss-results.sarif
+        continue-on-error: true
+        # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration.
+        # Save the results in SARIF format to semgrep-xss-results.sarif.
+        # Continue the workflow even if there are errors during the scan.
 
-      # Run the "semgrep ci" command on the command line of the docker image.
-      - name: Run semgrep command line
-        run: semgrep --config p/xss --sarif --output=semgrep.sarif
+      - name: Run Semgrep High-Confidence SAST Scan
+        run: semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif
         continue-on-error: true
+        # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration.
+        # Save the results in SARIF format to semgrep-xss-results.sarif.
+        # Continue the workflow even if there are errors during the scan.
+
+      - name: Upload XSS SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep-xss-results.sarif
+          category: "Semgrep XSS Scan"
+        if: always()
+        # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.
 
-      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+      - name: Upload CI SARIF file for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: semgrep.sarif
-        if: always()
+          sarif_file: semgrep-ci-results.sarif
+          category: "Semgrep High-Confidence SAST Scan"
+        if: always()
+        # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.