diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml new file mode 100644 index 000000000..bcc45a4f0 --- /dev/null +++ b/.github/workflows/run-semgrep.yaml @@ -0,0 +1,39 @@ +name: Run Semgrep + +on: + workflow_dispatch: + push: + paths: + - '**.sol' + pull_request: + paths: + - '**.sol' + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + + - name: Fetch semgrep rules + uses: actions/checkout@v3 + with: + repository: decurity/semgrep-smart-contracts + path: rules + + - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --no-suppress-errors + env: + SEMGREP_RULES: rules/solidity/security + + - name: Upload findings to GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: semgrep.sarif + if: always() \ No newline at end of file diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..7a613e799 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,8 @@ +# mocks +packages/contracts/src/dollar/mocks/ + +# deprecated contracts +packages/contracts/src/dollar/core/CreditNft.sol +packages/contracts/src/dollar/core/StakingShare.sol +packages/contracts/src/dollar/libraries/LibCreditNftManager.sol +packages/contracts/src/dollar/libraries/LibDollarMintExcess.sol