Skip to content

Semgrep Full Scan

Semgrep Full Scan #18

---
name: Semgrep Full Scan
on:
workflow_dispatch:
branches:
- master
schedule:
- cron: "0 1 * * 6"
jobs:
semgrep-full:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
# step 1
- name: clone application source code
uses: actions/checkout@v4
# step 2
- name: full scan
run: |
semgrep \
--sarif --output report.sarif \
--metrics=off \
--config="p/default"
# step 3
- name: save report as pipeline artifact
uses: actions/upload-artifact@v4
with:
name: report.sarif
overwrite: true
path: report.sarif
# step 4
- name: publish code scanning alerts
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: report.sarif
category: semgrep