Skip to content

Semgrep Full Scan

Semgrep Full Scan #182

name: Semgrep Full Scan
# sarifファイルをアップロードするために事前にgithubのリソースに対するアクセス権を与える必用がある。
#リポジトリの設定から --> Code and automation --> Actions --> GeneralのWorkflow permissionsをRead and write permissionsに[参考画像](../../doc/fig/semgrep_upgrade_grant.png)
on:
push:
paths:
- "src/**.tsx"
- "src/**.ts"
- "public/**.html"
- ".github/workflows/react-semgrep.yaml"
schedule:
# 日曜日の午前0時に実行
- cron: '0 0 * * 0'
defaults:
run:
shell: bash
jobs:
semgrep-full:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
container:
image: returntocorp/semgrep:sha-69df2e1
steps:
- name: clone application source code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: install package using aqua
uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1
with:
aqua_version: v2.29.0
- name: full scan
run: |
github-comment exec --token ${{ secrets.TOKEN }} -- semgrep \
--sarif --output report.sarif \
--metrics=off \
--config="p/default"
# reportsを生成(Actionsから確認できる)
- name: save report as pipeline artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: report.sarif
path: report.sarif
# scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。
#
- name: publish code scanning alerts
uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
with:
sarif_file: report.sarif
category: semgrep