Semgrep Full Scan #182
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Semgrep Full Scan | |
# sarifファイルをアップロードするために事前にgithubのリソースに対するアクセス権を与える必用がある。 | |
#リポジトリの設定から --> Code and automation --> Actions --> GeneralのWorkflow permissionsをRead and write permissionsに[参考画像](../../doc/fig/semgrep_upgrade_grant.png) | |
on: | |
push: | |
paths: | |
- "src/**.tsx" | |
- "src/**.ts" | |
- "public/**.html" | |
- ".github/workflows/react-semgrep.yaml" | |
schedule: | |
# 日曜日の午前0時に実行 | |
- cron: '0 0 * * 0' | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
semgrep-full: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
container: | |
image: returntocorp/semgrep:sha-69df2e1 | |
steps: | |
- name: clone application source code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: install package using aqua | |
uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1 | |
with: | |
aqua_version: v2.29.0 | |
- name: full scan | |
run: | | |
github-comment exec --token ${{ secrets.TOKEN }} -- semgrep \ | |
--sarif --output report.sarif \ | |
--metrics=off \ | |
--config="p/default" | |
# reportsを生成(Actionsから確認できる) | |
- name: save report as pipeline artifact | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: report.sarif | |
path: report.sarif | |
# scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。 | |
# | |
- name: publish code scanning alerts | |
uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10 | |
with: | |
sarif_file: report.sarif | |
category: semgrep |