name: Semgrep

on:
  # Scan changed files in PRs, block on new issues only (existing issues ignored)
  pull_request:
    branches:    
      - master
      - main

  # Schedule this job to run at a certain time, using cron syntax
  # Note that * is a special character in YAML so you have to quote this string
  schedule:
    - cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday

jobs:
  semgrep:
    name: Static code Analysis
    runs-on: [ self-hosted ]
    
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      - name: Clean workspace
        uses: navi-infra/clean-workspace@master
        
      # Fetch Project Source
      - uses: actions/checkout@v3
        name: Checkout Source Repository
        
      # Fetch Semgrep Rules
      - name: Fetching Semgrep Rules
        uses: actions/checkout@v3
        with:
          repository: Information-Security/semgrep-rules
          path: semgrep-rules
      
      - name: Semgrep Scan
        run: |
              semgrep ci -q || true && semgrep ci -q --json > semgrep.json
        env:
          PR_NUMBER: ${{ github.event.number }}
          # Select rules for your scan with one of these two options.
          # Option 1: set hard-coded rulesets
          SEMGREP_RULES: >- # more at semgrep.dev/r
            ./semgrep-rules

      - name: Send Vulnerablity Result(s)
        if: failure()
        run: /usr/bin/curl -s -X POST http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json" -d @semgrep.json
      
      - name: Send Metadata
        run: /usr/bin/curl -s -X GET http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json"
  
  run-if-failed:
    runs-on: [ self-hosted ]
    needs: [semgrep]
    if: always() && (needs.semgrep.result == 'failure')
    steps:
      - name: Create comment
        if: ${{ ( github.event.number != '' ) }}
        uses: peter-evans/create-or-update-comment@v2
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body: |
             **Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information **
             
      - name: Assign Reviewers
        if: ${{ ( github.event.number != '' ) }}
        uses: Information-Security/security-oncall-action@v1.1