diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 000000000..5e1aac413 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,29 @@ +name: Semgrep +on: + push: + branches-ignore: + - "dependabot/**" + pull_request: + branches: + - "dependabot/**" +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-latest + + container: + image: semgrep/semgrep + + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v4 + - run: semgrep ci --dry-run --sarif > semgrep.sarif + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index 235cff5c0..000000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Snyk -on: - push: - branches-ignore: - - "dependabot/**" - pull_request: - branches: - - "dependabot/**" -jobs: - golang-snyk: - runs-on: ubuntu-22.04 - steps: - - name: Checkout repositories and submodules - uses: actions/checkout@v4 - with: - submodules: recursive - - - name: Run Snyk - uses: snyk/actions/golang@0.4.0 - continue-on-error: true # To make sure that SARIF upload gets called - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - args: --sarif-file-output=snyk.sarif --all-projects --detection-depth=4 - - # Replace any "undefined" security severity values with 0. The undefined value is used in the case - # of license-related findings, which do not do not indicate a security vulnerability. - # See https://github.com/github/codeql-action/issues/2187 for more context. - - name: Post-process sarif output - run: | - sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif \ No newline at end of file