40 lines
1.4 KiB
YAML
40 lines
1.4 KiB
YAML
name: Semgrep
|
|
|
|
on:
|
|
# Scan changed files in PRs, block on new issues only (existing issues ignored)
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
- main
|
|
|
|
# Schedule this job to run at a certain time, using cron syntax
|
|
# Note that * is a special character in YAML so you have to quote this string
|
|
schedule:
|
|
- cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday
|
|
|
|
jobs:
|
|
central-semgrep:
|
|
name: Static code Analysis
|
|
uses: Information-Security/security-workflows/.github/workflows/central-semgrep.yml@master
|
|
with:
|
|
github-event-number: ${{github.event.number}}
|
|
github-event-name: ${{github.event_name}}
|
|
github-repository: ${{github.repository}}
|
|
|
|
run-if-failed:
|
|
runs-on: [ self-hosted ]
|
|
needs: [central-semgrep]
|
|
if: always() && (needs.semgrep.result == 'failure')
|
|
steps:
|
|
- name: Create comment
|
|
if: ${{ ( github.event.number != '' ) }}
|
|
uses: peter-evans/create-or-update-comment@v2
|
|
with:
|
|
issue-number: ${{ github.event.pull_request.number }}
|
|
body: |
|
|
**Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information **
|
|
|
|
- name: Assign Reviewers
|
|
if: ${{ ( github.event.number != '' ) }}
|
|
uses: Information-Security/security-oncall-action@v1.1
|