semgrep.yml

name: Semgrep

on:
  merge_group:
  pull_request:
    types:
      - opened
      - synchronize
  push:
    branches:
      - master
  schedule:
    - cron: "30 0 1,15 * *"

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
  run:
    name: Check for Vulnerabilities
    runs-on: ubuntu-latest

    container:
      image: returntocorp/semgrep

    steps:
      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha || github.ref }}

      - run: semgrep ci
        env:
          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}