react-semgrep.yaml

name: Semgrep Full Scan
# sarifファイルをアップロードするために事前にgithubのリソースに対するアクセス権を与える必用がある。
#リポジトリの設定から --> Code and automation --> Actions --> GeneralのWorkflow permissionsをRead and write permissionsに[参考画像](../../doc/fig/semgrep_upgrade_grant.png)
on:
  push:
    paths:
      - "src/**.tsx"
      - "src/**.ts"
      - "public/**.html"
      - ".github/workflows/react-semgrep.yaml"
  schedule:
    # 日曜日の午前0時に実行
    - cron:  '0 0 * * 0'
defaults:
  run:
    shell: bash

jobs:
  semgrep-full:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    container:
      image: returntocorp/semgrep:sha-69df2e1

    steps:
      - name: clone application source code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: install package using aqua
        uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1
        with:
          aqua_version: v2.29.0
      - name: full scan
        run: |
          github-comment exec --token ${{ secrets.TOKEN }} -- semgrep \
            --sarif --output report.sarif \
            --metrics=off \
            --config="p/default"
      # reportsを生成(Actionsから確認できる)
      - name: save report as pipeline artifact
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: report.sarif
          path: report.sarif
      # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。
      #
      - name: publish code scanning alerts
        uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
        with:
          sarif_file: report.sarif
          category: semgrep