From 23d631d4ddd37808a98d48de8a241eff98212cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?crypticG=C3=B8=C3=B8se?= Date: Wed, 2 Apr 2025 14:33:39 +0200 Subject: [PATCH 1/2] Create semgrep.yml --- .github/workflows/semgrep.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..1b7d1c9 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,30 @@ +# Name of this GitHub Actions workflow. +name: Semgrep + +on: + # Scan changed files in PRs (diff-aware scanning): + pull_request: {} + # Scan on-demand through GitHub Actions interface: + workflow_dispatch: {} + # Scan mainline branches and report all findings: + push: + branches: ["main"] + # Schedule the CI job (this method uses cron syntax): + schedule: + - cron: '50 14 * * *' + # It is recommended to change the schedule to a random time. + +jobs: + semgrep-check: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Semgrep + uses: utilitywarehouse/semgrep-rules/setup-semgrep@latest + with: + # Github token used to checkout private rules + token: ${{ secrets.DEPLOY_GITHUB_TOKEN }} + # Enable verbose output to help debug rules + verbose: true + extra_args: "--exclude-rule dgryski.semgrep-go.timeafter.leaky-time-after" From 2394b37cc311930b2083222023dfa20523829f22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?crypticG=C3=B8=C3=B8se?= Date: Wed, 2 Apr 2025 14:35:39 +0200 Subject: [PATCH 2/2] Update semgrep.yml --- .github/workflows/semgrep.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1b7d1c9..de11dd5 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -27,4 +27,3 @@ jobs: token: ${{ secrets.DEPLOY_GITHUB_TOKEN }} # Enable verbose output to help debug rules verbose: true - extra_args: "--exclude-rule dgryski.semgrep-go.timeafter.leaky-time-after"