.github/workflows/salus.yaml

on:
  push:
  schedule:
    - cron: "0 0 * * *"

name: Salus security scan

jobs:
  semgrep:
    runs-on: ubuntu-latest
    name: Semgrep
    steps:
      - uses: actions/checkout@v4
      - name: Scan
        id: scan
        run: |
          set -eo pipefail;
          python3 -m pip install semgrep;
          semgrep scan --error --config https://semgrep.dev/p/trailofbits --config semgrep_configs

  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan
    steps:
      - uses: actions/checkout@v4
      - name: Salus Scan
        id: salus_scan
        uses: federacy/scan-action@0.1.5
        env:
          SALUS_CONFIGURATION: "file://salus-config.yaml"
        with:
          report_uri: file://./salus-report.txt
          report_format: txt
      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: Scan results
          path: ./salus-report.txt