name: Semgrep

on:
  # Scan changed files in PRs, block on new issues only (existing issues ignored)
  pull_request:
    branches:    
      - master
      - main

  # Schedule this job to run at a certain time, using cron syntax
  # Note that * is a special character in YAML so you have to quote this string
  schedule:
    - cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday

jobs:
  central-semgrep:
    name: Static code Analysis
    uses: navi-infosec/central-semgrep-action/.github/workflows/central-semgrep.yml@master
    with:
      github-event-number: ${{github.event.number}}
      github-event-name: ${{github.event_name}}
      github-repository: ${{github.repository}}
    secrets:
      READ_SEMGREP_RULES: ${{secrets.READ_SEMGREP_RULES}}
      
  run-if-failed:
    runs-on: [ self-hosted ]
    needs: [central-semgrep]
    if: always() && (needs.semgrep.result == 'failure')
    steps:
      - name: Create comment
        if: ${{ ( github.event.number != '' ) }}
        uses: navi-synced-actions/create-or-update-comment@v2
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body: |
             **Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information **
             
      - name: Assign Reviewers
        if: ${{ ( github.event.number != '' ) }}
        uses: navi-infosec/security-oncall-action@v1.1