semgrep.yaml

name: Semgrep

on:
  # Scan changed files in PRs, block on new issues only (existing issues ignored)
  pull_request: {}

jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-latest
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      # Fetch project source
      - uses: actions/checkout@v4

      - uses: returntocorp/semgrep-action@v1
        with:
          config: >- # more at semgrep.dev/explore
            p/security-audit
            p/secrets
            p/ci
            p/r2c
            p/r2c-ci
            p/docker
            p/dockerfile
            p/command-injection
          generateSarif: "1"

      # Upload findings to GitHub Advanced Security Dashboard [step 2/2]
      - name: Upload SARIF file for GitHub Advanced Security Dashboard
        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
        with:
          sarif_file: semgrep.sarif
        if: always()