From 4bd9618c2ab62f1b9c9bedf8134c3f9b899a7b83 Mon Sep 17 00:00:00 2001
From: yogur <abdul.al-kibbe@scout24.com>
Date: Wed, 21 Aug 2024 15:15:44 +0200
Subject: [PATCH] [skip ci] Add security code scanning workflow
---
.github/workflows/codeql-analysis.yml | 35 -------------------------
.github/workflows/security-analysis.yml | 24 +++++++++++++++++
2 files changed, 24 insertions(+), 35 deletions(-)
delete mode 100644 .github/workflows/codeql-analysis.yml
create mode 100644 .github/workflows/security-analysis.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index 44fb0bf..0000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: "CodeQL"
-
-on:
- # workflow_dispatch enables manual triggering of the workflow
- workflow_dispatch:
- schedule:
- - cron: '53 4 * * 0'
-jobs:
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- security-events: write
-
- strategy:
- fail-fast: false
- matrix:
- language: ['python']
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v1
- with:
- languages: ${{ matrix.language }}
-
- - name: Autobuild
- uses: github/codeql-action/autobuild@v1
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml
new file mode 100644
index 0000000..7fdc4dd
--- /dev/null
+++ b/.github/workflows/security-analysis.yml
@@ -0,0 +1,24 @@
+name: "Security Static Analysis"
+
+on:
+ pull_request: {}
+ workflow_dispatch: {}
+ push:
+ branches:
+ - main
+ - master
+ schedule:
+ - cron: '2 14 20 * *'
+jobs:
+ scan:
+ name: "Security Static Analysis"
+ runs-on: ubuntu-latest
+
+ # Skip any PR created by dependabot:
+ if: (github.actor != 'dependabot[bot]')
+
+ steps:
+ - uses: scout24/s24-sast-action@v2
+ with:
+ SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+