name: semgrep on: pull_request: branches: ["main", "release/**"] push: branches: ["main"] permissions: contents: read jobs: semgrep: runs-on: ubuntu-latest container: image: semgrep/semgrep steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run semgrep (advisory) continue-on-error: true run: | semgrep scan --config p/owasp-top-ten --config p/secrets \ --sarif --output semgrep.sarif --metrics off || true python -c "import json; d=json.load(open('semgrep.sarif')); print('semgrepFindings=%d' % len(d['runs'][0]['results']))" || echo "semgrepFindings=SKIP" - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: semgrep-sarif path: semgrep.sarif retention-days: 14