varnitgoyal95/janus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
abe699527833446fef2433559fbae466db46508c
janus/.github/workflows/semgrep.yml

58 lines
2.4 KiB
YAML
Raw Blame History

name: Semgrep
on:
# Scan changed files in PRs, block on new issues only (existing issues ignored)
pull_request:
branches:
- master
- main
# Schedule this job to run at a certain time, using cron syntax
# Note that * is a special character in YAML so you have to quote this string
schedule:
- cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday
jobs:
semgrep:
name: Static code Analysis
runs-on: [ self-hosted ]
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source
- uses: actions/checkout@v3
- run: /usr/bin/git clone https://${{ secrets.SEMGREP_PAT }}@github.cmd.navi-tech.in/Information-Security/semgrep-rules.git
- run: semgrep ci --json > semgrep.json
env:
PR_NUMBER: ${{ github.event.number }}
# Select rules for your scan with one of these two options.
# Option 1: set hard-coded rulesets
SEMGREP_RULES: >- # more at semgrep.dev/r
./semgrep-rules
- name: Vulnerability Analysis Result
if: failure()
run: /usr/bin/curl -X POST http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json" -d @semgrep.json
- name: Send the Result
run: /usr/bin/curl -X GET http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json"
run-if-failed:
runs-on: [ self-hosted ]
needs: [semgrep]
if: always() && (needs.semgrep.result == 'failure')
steps:
- name: Create comment
if: ${{ ( github.event.number != '' ) }}
uses: peter-evans/create-or-update-comment@v2
with:
issue-number: ${{ github.event.pull_request.number }}
body: |
**Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information **
- name: Assign Reviewers
if: ${{ ( github.event.number != '' ) }}
uses: Information-Security/security-oncall-action@v1.1
Reference in New Issue View Git Blame Copy Permalink