master #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Semgrep Full Scan | |
| # sarifファイルをアップロードするために事前にgithubのリソースに対するアクセス権を与える必用がある。 | |
| #リポジトリの設定から --> Code and automation --> Actions --> GeneralのWorkflow permissionsをRead and write permissionsに[参考画像](../../doc/fig/semgrep_upgrade_grant.png) | |
| on: | |
| push: | |
| schedule: | |
| # 日曜日の午前0時に実行 | |
| - cron: '0 0 * * 0' | |
| jobs: | |
| semgrep-full: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - name: clone application source code | |
| uses: actions/checkout@v3 | |
| - name: full scan | |
| run: | | |
| semgrep \ | |
| --sarif --output report.sarif \ | |
| --metrics=off \ | |
| --config="p/default" | |
| # reportsを生成(Actionsから確認できる) | |
| - name: save report as pipeline artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: report.sarif | |
| path: report.sarif | |
| # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。 | |
| - name: publish code scanning alerts | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: report.sarif | |
| category: semgrep |