From caf298a2054e8351f43ac489cbf038d51e272682 Mon Sep 17 00:00:00 2001 From: yogur Date: Thu, 22 Aug 2024 11:43:40 +0200 Subject: [PATCH] [skip ci] Add security code scanning workflow --- .github/workflows/codeql-analysis.yml | 35 ------------------------- .github/workflows/security-analysis.yml | 24 +++++++++++++++++ 2 files changed, 24 insertions(+), 35 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/security-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 82b1aa2..0000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: "CodeQL" - -on: - # workflow_dispatch enables manual triggering of the workflow - workflow_dispatch: - schedule: - - cron: '23 20 * * 5' -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ['javascript'] - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml new file mode 100644 index 0000000..279158e --- /dev/null +++ b/.github/workflows/security-analysis.yml @@ -0,0 +1,24 @@ +name: "Security Static Analysis" + +on: + pull_request: {} + workflow_dispatch: {} + push: + branches: + - main + - master + schedule: + - cron: '22 6 8 * *' +jobs: + scan: + name: "Security Static Analysis" + runs-on: ubuntu-latest + + # Skip any PR created by dependabot: + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: scout24/s24-sast-action@v2 + with: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} +