-
Notifications
You must be signed in to change notification settings - Fork 0
85 lines (71 loc) · 2.28 KB
/
Copy pathcodeql.yml
File metadata and controls
85 lines (71 loc) · 2.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Code Scanning
on:
workflow_dispatch:
pull_request:
branches: [main]
push:
branches: [main]
schedule:
- cron: "25 3 * * 1"
permissions:
actions: read
contents: read
security-events: write
concurrency:
group: codeql-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
semgrep-blocking:
name: Semgrep blocking secrets
runs-on: ubuntu-latest
timeout-minutes: 10
env:
SEMGREP_VERSION: "1.136.0"
SEMGREP_SETUPTOOLS_VERSION: "80.9.0"
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Setup Python
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.12"
- name: Install Semgrep
run: |
python -m pip install --disable-pip-version-check --no-cache-dir "setuptools==${SEMGREP_SETUPTOOLS_VERSION}" "semgrep==${SEMGREP_VERSION}"
semgrep --version | grep -Fx "${SEMGREP_VERSION}"
- name: Run blocking Semgrep secrets scan
run: |
semgrep scan \
--config p/secrets \
--error \
--metrics=off
semgrep:
name: semgrep sarif non-blocking upload
runs-on: ubuntu-latest
timeout-minutes: 20
env:
SEMGREP_VERSION: "1.136.0"
SEMGREP_SETUPTOOLS_VERSION: "80.9.0"
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Setup Python
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.12"
- name: Install Semgrep
run: |
python -m pip install --disable-pip-version-check --no-cache-dir "setuptools==${SEMGREP_SETUPTOOLS_VERSION}" "semgrep==${SEMGREP_VERSION}"
semgrep --version | grep -Fx "${SEMGREP_VERSION}"
- name: Run Semgrep SARIF scan
run: |
semgrep scan \
--config p/php \
--config p/secrets \
--sarif \
--output semgrep.sarif \
--metrics=off || true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
with:
sarif_file: semgrep.sarif