chore(ci): reorganize semgrep files

Signed-off-by: Roberto Scolaro <[email protected]>
falcosecurity · Jan 26, 2024 · e563bfa · e563bfa
1 parent f7c1321
commit e563bfa
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 28 deletions.
diff --git a/.github/workflows/insecure-api.yml b/.github/workflows/insecure-api.yml
diff --git a/.github/workflows/semgrep_checks.yml b/.github/workflows/semgrep_checks.yml
@@ -1,10 +1,30 @@
-name: Absolute include paths check
+name: Semgrep Checks
 on:
   pull_request:
     branches:
       - master
+      - 'release/**'
+      - 'maintainers/**'
 
 jobs:
+  insecure-api:
+    name: check-insecure-api
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep:1.41.0
+    steps:
+      - name: Checkout Libs ⤵️
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - name: Scan PR for insecure API usage 🕵️
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config=./semgrep/insecure-api
+
   absolute-include-paths:
     name: check-absolute-include-paths
     runs-on: ubuntu-latest

diff --git a/semgrep/insecure-api-gets.yaml → semgrep/insecure-api/insecure-api-gets.yaml b/semgrep/insecure-api-gets.yaml → semgrep/insecure-api/insecure-api-gets.yaml
diff --git a/semgrep/insecure-api-sprintf-vsprintf.yaml → ...re-api/insecure-api-sprintf-vsprintf.yaml b/semgrep/insecure-api-sprintf-vsprintf.yaml → ...re-api/insecure-api-sprintf-vsprintf.yaml
diff --git a/...ep/insecure-api-strcpy-stpcpy-strcat.yaml → ...pi/insecure-api-strcpy-stpcpy-strcat.yaml b/...ep/insecure-api-strcpy-stpcpy-strcat.yaml → ...pi/insecure-api-strcpy-stpcpy-strcat.yaml
diff --git a/semgrep/insecure-api-strn.yaml → semgrep/insecure-api/insecure-api-strn.yaml b/semgrep/insecure-api-strn.yaml → semgrep/insecure-api/insecure-api-strn.yaml