Merge branch 'main' into semgrep #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-License-Identifier: Apache-2.0 OR MIT | |
# SPDXVersion: SPDX-2.0 | |
# DataLicense: CC0-1.0 | |
# PackageOriginator: Manifold Finance, Inc | |
# FileCopyrightText: Copyright 2023 Manifold Finance, Inc. | |
# Solidity Semgrep Actions Workflow | |
# Version 2023.07.17:53252e1d-0a43-5c72-aafe-ce349f120e6b | |
name: semgrep | |
on: | |
# Scan changed files in PRs (diff-aware scanning): | |
pull_request: {} | |
# On-demand | |
workflow_dispatch: {} | |
schedule: | |
# random HH:MM to avoid a load spike on GitHub Actions at 00:00 | |
- cron: '39 13 * * *' | |
push: | |
paths: | |
- "**.sol" | |
- ".github/workflows/semgrep.yml" | |
defaults: | |
run: | |
shell: bash | |
env: | |
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
jobs: | |
semgrep: | |
# User-definable name of this GitHub Actions job: | |
# If you are self-hosting, change the following `runs-on` value: | |
# <https://github.com/actions/runner-images/blob/releases/ubuntu22/20230710/README.md#available-images> | |
# <ubuntu-22.04:sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508> | |
name: Test ${{ matrix.test-version }} on ${{ matrix.os }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
# required for all workflows | |
security-events: write | |
# only required for workflows in private repositories | |
actions: read | |
container: | |
# A Docker image with Semgrep installed. Do not change this. | |
image: returntocorp/semgrep:sha-ebbf6f9 | |
# Skip any PR created by dependabot to avoid permission issues: | |
if: (github.actor != 'dependabot[bot]') | |
steps: | |
- name: Fetch semgrep rules | |
id: fetch-rules | |
uses: actions/checkout@v3 | |
with: | |
repository: decurity/semgrep-smart-contracts | |
path: rules | |
- name: Run Slither | |
run: semgrep ci --sarif --output=semgrep.sarif || true | |
id: semgrep | |
env: | |
SEMGREP_RULES: "rules/solidity/security rules/solidity/performance" | |
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
# Upload findings to GitHub Advanced Security Dashboard | |
- name: Upload findings to GitHub Advanced Security Dashboard | |
uses: github/codeql-action/upload-sarif@v2 | |
id: sarif | |
with: | |
sarif_file: semgrep.sarif | |
if: always() |