name: Semgrep on: # Scan changed files in PRs, block on new issues only (existing issues ignored) pull_request: {} push: branches: - main paths: - .github/workflows/semgrep.yml schedule: - cron: '0 0 * * 0' jobs: semgrep: name: Scan runs-on: ubuntu-latest if: (github.actor != 'dependabot[bot]') steps: - uses: actions/checkout@v3 - name: Get Diff uses: technote-space/get-diff-action@v6.0.1 with: PATTERNS: | **/*.go **/*.js **/*.ts **/*.sol go.mod go.sum - uses: returntocorp/semgrep-action@v1 with: publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} # Upload findings to GitHub Advanced Security Dashboard [step 1/2] # See also the next step. generateSarif: "1" if: "env.GIT_DIFF_FILTERED != ''" # Upload findings to GitHub Advanced Security Dashboard [step 2/2] - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: sarif_file: semgrep.sarif if: "env.GIT_DIFF_FILTERED != ''"