From 1e150896cbdecc9b7af8c969396591d9cec20059 Mon Sep 17 00:00:00 2001
From: rparchuri <87338819+rparchuri@users.noreply.github.com>
Date: Wed, 1 Sep 2021 14:19:58 -0700
Subject: [PATCH] Create semgrep-analysis for Static analysis

This will be used for sast scanning to identify and discover code security gaps and provide recommendations on the findings. Currently just in the testing phase only.
---
 .github/workflows/semgrep-analysis.yml | 37 ++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/workflows/semgrep-analysis.yml

diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
new file mode 100644
index 000000000..b43d43624
--- /dev/null
+++ b/.github/workflows/semgrep-analysis.yml
@@ -0,0 +1,37 @@
+# This workflow file requires a free account on Semgrep.dev to
+# manage rules, file ignores, notifications, and more.
+#
+# See https://semgrep.dev/docs
+
+name: Semgrep
+
+on:
+  push:
+    branches: [ master, v*.12.* ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '24 14 * * 6'
+
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout project source
+      - uses: actions/checkout@v2
+
+      # Scan code using project's configuration on https://semgrep.dev/manage
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+          publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
+          generateSarif: "1"
+
+      # Upload SARIF file generated in previous step
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: semgrep.sarif
+        if: always()