Skip to content

edit sonarqube.yml file + edit README #13

edit sonarqube.yml file + edit README

edit sonarqube.yml file + edit README #13

# Name of this GitHub Actions workflow.
name: Scan Application Code with Semgrep SAST
on:
# Trigger the workflow on the following events:
# Scan changed files in Pull Requests (diff-aware scanning).
pull_request: {}
# Trigger the workflow on-demand through the GitHub Actions interface.
workflow_dispatch: {}
# Scan mainline branches (main and development) and report all findings.
push:
branches: ["main", "development"]
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: Scan Application Code with Semgrep SAST
# Specify the runner environment. Use the latest version of Ubuntu.
runs-on: ubuntu-latest
# Define permissions for specific GitHub Actions.
permissions:
actions: read # Permission to read GitHub Actions.
contents: read # Permission to read repository contents.
security-events: write # Permission to write security events.
container:
# Use a Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any Pull Request created by the Dependabot to avoid permission issues.
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout code
uses: actions/checkout@v4
# Step: Checkout code
# Action to check out the code from the repository.
# This step fetches the codebase from the GitHub repository.
- name: Run Semgrep XSS Scan
run: semgrep --config p/xss --sarif --output=semgrep-xss-results.sarif
continue-on-error: true
# Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration.
# Save the results in SARIF format to semgrep-xss-results.sarif.
# Continue the workflow even if there are errors during the scan.
- name: Run Semgrep High-Confidence SAST Scan
run: semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif
continue-on-error: true
# Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration.
# Save the results in SARIF format to semgrep-xss-results.sarif.
# Continue the workflow even if there are errors during the scan.
- name: Upload XSS SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: semgrep-xss-results.sarif
category: "Semgrep XSS Scan"
if: always()
# Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.
- name: Upload CI SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: semgrep-ci-results.sarif
category: "Semgrep High-Confidence SAST Scan"
if: always()
# Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.