-
Notifications
You must be signed in to change notification settings - Fork 0
46 lines (42 loc) · 1.72 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# PR単位で差分があるファイルに対してSemgrep(SASTツール)を実行し、
# 脆弱性につながる可能性のある記述をPRコメントで指摘するワークフローです
# 詳細は以下のドキュメントをご参照ください
# https://andpad-dev.esa.io/posts/8984
name: semgrep
on:
pull_request
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
semgrep:
name: semgrep
runs-on: ubuntu-latest
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- name: Check out code
uses: actions/checkout@v4 # v3.5.3
with:
fetch-depth: 0
- uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
- id: changed-files
uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44.5.7
- id: run-semgrep
if: steps.changed-files.outputs.all_changed_files_count != '0'
name: Run semgrep
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run \
-v $(pwd):/workdir \
--workdir /workdir \
returntocorp/semgrep:1.27.0@sha256:7026020ebb6c1aa477431a2ba550df3ae4d080822e391d03bb816eeac700a36b \
semgrep scan --config auto --severity WARNING --json ${{ steps.changed-files.outputs.all_changed_files }} \
| jq -r '.results[] | "\(.path):\(.start.line):\(.start.col): \(.extra.message)"' \
| sed 's#^/workdir/##' \
| reviewdog \
-efm="%f:%l:%c: %m" \
-diff="git diff FETCH_HEAD" \
-level=warning \
-reporter=github-pr-review