Skip to content

Merge pull request #1579 from DependencyTrack/dependabot/maven/org.ap… #3530

Merge pull request #1579 from DependencyTrack/dependabot/maven/org.ap…

Merge pull request #1579 from DependencyTrack/dependabot/maven/org.ap… #3530

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow file requires a free account on Semgrep.dev to
# manage rules, file ignores, notifications, and more.
#
# See https://semgrep.dev/docs
name: Semgrep
on:
push:
branches:
- main
- "feature-**"
pull_request:
# The branches below must be a subset of the branches above
branches:
- main
- "feature-**"
schedule:
- cron: '41 23 * * 4'
permissions:
contents: read
jobs:
semgrep:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Scan
runs-on: ubuntu-latest
steps:
# Checkout project source
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # tag=v1
with:
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
generateSarif: "1"
# Upload SARIF file generated in previous step
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@1245696032ecf7d39f87d54daa406e22ddf769a8 # v2.3.6
with:
sarif_file: semgrep.sarif
if: always()