From fd3c803b44b23128d3f54c39cc5ac3c2dca9c3be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Federico=20Kunze=20K=C3=BCllmer?=
 <31522760+fedekunze@users.noreply.github.com>
Date: Mon, 24 Jan 2022 15:35:02 +0100
Subject: [PATCH] ci: semgrep config (#917)

* ci: enable semgrep config

* fix config

* ignore grpc web
---
 .github/workflows/semgrep.yml | 41 +++++++++++++++++++++++++++++++++++
 .semgrepignore                | 29 +++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml
 create mode 100644 .semgrepignore

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 00000000..9570d52d
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,41 @@
+name: Semgrep
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request: {}
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/semgrep.yml
+  schedule:
+    - cron: '0 0 * * 0'
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v2
+      - name: Get Diff
+        uses: technote-space/get-diff-action@v6.0.1
+        with:
+          PATTERNS: |
+            **/*.go
+            **/*.js
+            **/*.ts
+            **/*.sol
+            go.mod
+            go.sum
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+           # Upload findings to GitHub Advanced Security Dashboard [step 1/2]
+          # See also the next step.
+          generateSarif: "1"
+        if: "env.GIT_DIFF_FILTERED != ''"
+      # Upload findings to GitHub Advanced Security Dashboard [step 2/2]
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: semgrep.sarif
+        if: "env.GIT_DIFF_FILTERED != ''"
diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 00000000..cb655af1
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1,29 @@
+# Ignore git items
+.gitignore
+.git/
+:include .gitignore
+
+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+*.pb.gw.go
+
+# Common test paths
+test/
+tests/
+*_test.go
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/
+
+# Documentation
+client/docs/
\ No newline at end of file