Implement automatic static code scan with Semgrep

2025-04-28 10:42:08 +00:00 · 2022-11-20 10:53:11 +01:00 · 2022-11-20 10:53:11 +01:00 · 681ea420c1
commit 681ea420c1
parent 48ea54748f
2 changed files with 72 additions and 0 deletions
--- a/.github/workflows/sast_semgrep_full.yml
+++ b/.github/workflows/sast_semgrep_full.yml
@ -0,0 +1,44 @@
+---
+name: Semgrep Full Scan
+
+on:
+  workflow_dispatch:
+    branches:
+      - main
+  schedule:
+    - cron:  '0 1 * * 6'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+
+        # step 1
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        # step 2
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep
--- a/.github/workflows/sast_semgrep_pull.yml
+++ b/.github/workflows/sast_semgrep_pull.yml
@ -0,0 +1,28 @@
+---
+name: Semgrep Differential Scan
+on:
+  pull_request
+
+jobs:
+
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+
+      # step 1
+      - name: clone application source code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # step 2
+      - name: differential scan
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config="p/default"