Skip to content

Commit

Permalink
[actions] Support Semgrep by Github Actions (sonic-net#116)
Browse files Browse the repository at this point in the history
**Why I did it**
[Semgrep](https://github.com/returntocorp/semgrep) is a static analysis tool to find security vulnerabilities.
When opening a PR or commtting to PR, Semgrep performs a diff-aware scanning, which scans changed files in PRs.
When merging PR, Semgrep performs a full scan on master branch and report all findings.

Ref: - [Supported Language](https://semgrep.dev/docs/supported-languages/#language-maturity) - [Semgrep Rules](https://registry.semgrep.dev/rule)

**How I did it**
Integrate Semgrep into this repository by committing a job configuration file
  • Loading branch information
maipbui authored Jun 19, 2023
1 parent 1ad89d4 commit 4a2ff41
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Semgrep

on:
pull_request: {}
push:
branches:
- master
- '201[7-9][0-1][0-9]'
- '202[0-9][0-1][0-9]'

jobs:
semgrep:
if: github.repository_owner == 'sonic-net'
name: Semgrep
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- run: semgrep ci
env:
SEMGREP_RULES: p/default

0 comments on commit 4a2ff41

Please sign in to comment.