.github/workflows/semgrep.yml

name: Semgrep

# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#sample-github-actions-configuration-file
on:
    pull_request_target:
        branches:
            - master
    push:
        branches:
            - master
    schedule:
        # random HH:MM to avoid a load spike on GitHub Actions at 00:00
        - cron: 21 20 * * *

jobs:
    semgrep:
        name: Scan
        runs-on: ubuntu-latest
        container:
            image: returntocorp/semgrep
        if: (github.triggering_actor != 'dependabot[bot]')
        permissions:
            security-events: write
        steps:
            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - run: semgrep ci --sarif > semgrep.sarif
              env:
                  SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
            - name: Upload SARIF file for GitHub Advanced Security Dashboard
              uses: github/codeql-action/upload-sarif@v4
              with:
                  sarif_file: semgrep.sarif
              if: always()