🔄 Synced file(s) with Information-Security/security-workflows (#5498)

Co-authored-by: security-bot <null>
2023-02-28 19:40:47 +05:30
parent 8d07fb1417
commit 583a2885c6
1 changed files with 8 additions and 39 deletions
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -13,47 +13,16 @@ on:
    - cron: '00 03 * * 0' # scheduled for 8.30 AM on every sunday

 jobs:
-  semgrep:
-    name: Static code Analysis
-    runs-on: [ self-hosted ]
-    
-    # Skip any PR created by dependabot to avoid permission issues
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - name: Clean workspace
-        uses: navi-infra/clean-workspace@master
-        
-      # Fetch Project Source
-      - uses: actions/checkout@v3
-        name: Checkout Source Repository
-        
-      # Fetch Semgrep Rules
-      - name: Fetching Semgrep Rules
-        uses: actions/checkout@v3
-        with:
-          repository: Information-Security/semgrep-rules
-          path: semgrep-rules
+  central-semgrep:
+    uses: Information-Security/security-workflows/.github/workflows/central-semgrep.yml@master
+    with:
+      github-event-number: ${{github.event.number}}
+      github-event-name: ${{github.event_name}}
+      github-repository: ${{github.repository}}
      
-      - name: Semgrep Scan
-        run: |
-              semgrep ci -q || true && semgrep ci -q --json > semgrep.json
-        env:
-          PR_NUMBER: ${{ github.event.number }}
-          # Select rules for your scan with one of these two options.
-          # Option 1: set hard-coded rulesets
-          SEMGREP_RULES: >- # more at semgrep.dev/r
-            ./semgrep-rules
-
-      - name: Send Vulnerablity Result(s)
-        if: failure()
-        run: /usr/bin/curl -s -X POST http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json" -d @semgrep.json
-      
-      - name: Send Metadata
-        run: /usr/bin/curl -s -X GET http://semgrep.cmd.navi-tech.in/v1/semgrep/ -H "X-repo-name":${{ github.repository }} -H "X-pr-number":${{github.event.number}} -H "X-event-name":${{ github.event_name }} -H "Content-Type:application/json"
-  
  run-if-failed:
    runs-on: [ self-hosted ]
-    needs: [semgrep]
+    needs: [central-semgrep]
    if: always() && (needs.semgrep.result == 'failure')
    steps:
      - name: Create comment
@@ -66,4 +35,4 @@ jobs:
             
      - name: Assign Reviewers
        if: ${{ ( github.event.number != '' ) }}
-        uses: Information-Security/security-oncall-action@v1.1
+        uses: Information-Security/security-oncall-action@v1.1