diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8a5b34f..2d4c12f 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,20 +1,20 @@ name: Semgrep on: - workflow_dispatch: + # Scan changed files in PRs, block on new issues only (existing issues ignored) pull_request: - branches: + branches: - master - main - - development - - release-* + + # Schedule this job to run at a certain time, using cron syntax + # Note that * is a special character in YAML so you have to quote this string schedule: - - cron: '30 4 * * MON' - merge_group: + - cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday jobs: central-semgrep: - name: Static Code Analysis + name: Static code Analysis uses: navi-infosec/central-semgrep-action/.github/workflows/central-semgrep.yml@master with: github-event-number: ${{github.event.number}} @@ -22,10 +22,10 @@ jobs: github-repository: ${{github.repository}} secrets: READ_SEMGREP_RULES: ${{secrets.READ_SEMGREP_RULES}} - + run-if-failed: - runs-on: [ default ] - needs: [ central-semgrep ] + runs-on: [ self-hosted ] + needs: [central-semgrep] if: always() && (needs.semgrep.result == 'failure') steps: - name: Create comment @@ -34,7 +34,8 @@ jobs: with: issue-number: ${{ github.event.pull_request.number }} body: | - **Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information** + **Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information ** + - name: Assign Reviewers if: ${{ ( github.event.number != '' ) }} uses: navi-infosec/security-oncall-action@v1.1