Skip to content

build(deps): bump the dependencies group across 1 directory with 10 updates #403

build(deps): bump the dependencies group across 1 directory with 10 updates

build(deps): bump the dependencies group across 1 directory with 10 updates #403

Workflow file for this run

# PR単位で差分があるファイルに対してSemgrep(SASTツール)を実行し、
# 脆弱性につながる可能性のある記述をPRコメントで指摘するワークフローです
# 詳細は以下のドキュメントをご参照ください
# https://andpad-dev.esa.io/posts/8984
name: semgrep
on:
pull_request
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
semgrep:
name: semgrep
runs-on: ubuntu-latest
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- name: Check out code
uses: actions/checkout@v4 # v3.5.3
with:
fetch-depth: 0
- uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
- id: changed-files
uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # v44.5.5
- id: run-semgrep
if: steps.changed-files.outputs.all_changed_files_count != '0'
name: Run semgrep
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run \
-v $(pwd):/workdir \
--workdir /workdir \
returntocorp/semgrep:1.27.0@sha256:7026020ebb6c1aa477431a2ba550df3ae4d080822e391d03bb816eeac700a36b \
semgrep scan --config auto --severity WARNING --json ${{ steps.changed-files.outputs.all_changed_files }} \
| jq -r '.results[] | "\(.path):\(.start.line):\(.start.col): \(.extra.message)"' \
| sed 's#^/workdir/##' \
| reviewdog \
-efm="%f:%l:%c: %m" \
-diff="git diff FETCH_HEAD" \
-level=warning \
-reporter=github-pr-review