Skip to content

Commit 0f73297

Browse files
authored
[IDP-948] Use reusable Semgrep workflow (#10)
* [IDP-948] Use reusable Semgrep workflow * Undo schedule and branch changes
1 parent 15820ca commit 0f73297

File tree

1 file changed

+3
-39
lines changed

1 file changed

+3
-39
lines changed

.github/workflows/semgrep.yml

Lines changed: 3 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -2,49 +2,13 @@ name: Semgrep scan
22

33
on:
44
pull_request:
5-
branches: ["main", "master"]
5+
branches: ["main"]
66
workflow_dispatch: {}
77
schedule:
88
- cron: "52 2 * * 6"
99

1010
jobs:
11-
semgrep:
12-
runs-on: ubuntu-latest
11+
call-workflow-semgrep:
1312
permissions:
1413
security-events: write
15-
16-
container:
17-
image: returntocorp/semgrep
18-
19-
steps:
20-
- name: Checkout all commits and tags
21-
uses: actions/checkout@v4
22-
if: ${{ github.event_name == 'pull_request' }}
23-
with:
24-
fetch-depth: 0
25-
26-
- name: Checkout single commit
27-
uses: actions/checkout@v4
28-
if: ${{ github.event_name != 'pull_request' }}
29-
30-
- name: Pull request scan
31-
if: ${{ github.event_name == 'pull_request' }}
32-
run: semgrep scan --config=auto --verbose --time --error --baseline-commit ${{ github.event.pull_request.base.sha }}
33-
34-
- name: Full scan
35-
if: ${{ github.event_name != 'pull_request' }}
36-
run: semgrep scan --config=auto --verbose --time --sarif --output report.sarif
37-
38-
- name: Save report as pipeline artifact
39-
if: ${{ github.event_name != 'pull_request' }}
40-
uses: actions/upload-artifact@v4
41-
with:
42-
name: report.sarif
43-
path: report.sarif
44-
45-
- name: Publish code scanning alerts
46-
if: ${{ github.event_name != 'pull_request' }}
47-
uses: github/codeql-action/upload-sarif@v3
48-
with:
49-
sarif_file: report.sarif
50-
category: semgrep
14+
uses: gsoft-inc/wl-reusable-workflows/.github/workflows/reusable-semgrep-workflow.yml@main

0 commit comments

Comments
 (0)