name: Semgrep
on:
  # Scan changed files in PRs, block on new issues only (existing issues ignored)
  pull_request: {}
  push:
    branches:
      - main
    paths:
      - .github/workflows/semgrep.yml
  schedule:
    - cron: '0 0 * * 0'
jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-latest
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@v3
      - name: Get Diff
        uses: technote-space/get-diff-action@v6.0.1
        with:
          PATTERNS: |
            **/*.go
            **/*.js
            **/*.ts
            **/*.sol
            go.mod
            go.sum
      - uses: returntocorp/semgrep-action@v1
        with:
          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
           # Upload findings to GitHub Advanced Security Dashboard [step 1/2]
          # See also the next step.
          generateSarif: "1"
        if: "env.GIT_DIFF_FILTERED != ''"
      # Upload findings to GitHub Advanced Security Dashboard [step 2/2]
      - name: Upload SARIF file for GitHub Advanced Security Dashboard
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: semgrep.sarif
        if: "env.GIT_DIFF_FILTERED != ''"