Skip to content
semgrep

[feature/BLAZ-1027] to dev #577

Sign in to view logs

[feature/BLAZ-1027] to dev

[feature/BLAZ-1027] to dev #577

Workflow file for this run

.github/workflows/semgrep.yml at c19d4b1
# This workflow will perform a static code testing with semgrep
name: semgrep
on:
pull_request: {}
jobs:
semgrep:
name: Run Semgrep scan with owasp-top-ten & cwe-top-25
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- id: semgrep
run: semgrep ci --metrics=off --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks --config .semgrep/rules/detected-aws-account-id-in-arn.yaml --config r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id --config r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key -q --skip-unknown-extensions --suppress-errors
continue-on-error: true
- name: Get branch name (pull request)
run: echo "BRANCH_NAME=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
- name: Set failure message vars
if: steps.semgrep.outcome == 'failure'
run: echo "icon=fire" >> $GITHUB_ENV
- name: Set success message vars
if: steps.semgrep.outcome == 'success'
run: echo "icon=checkered_flag" >> $GITHUB_ENV
- name: Format Branch name
shell: bash
run: echo "BRANCH_NAME=${BRANCH_NAME^^}" >> $GITHUB_ENV
- name: Semgrep report to Slack
if: ${{ env.BRANCH_NAME }} == 'DEV' || ${{ env.BRANCH_NAME }} == 'MAIN'
id: slack-report
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
with:
payload: |
{
"text": ":${{ env.icon }}: Semgrep-Startleft-${{ env.BRANCH_NAME }} vulnerability test result: ${{ steps.semgrep.outcome }} <https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}|Pipeline logs>"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
- name: Stop if Semgrep finds a vulnerability
if: steps.semgrep.outcome == 'failure'
run: exit 1