Migrate returntocorp/semgrep-action (#77)

* Bump returntocorp/semgrep-action Bumps [returntocorp/semgrep-action](https://github.com/returntocorp/semgrep-action) from e9c03cf55b6e6228674d9c6837158af4b61598c9 to 661b622e8b74c22d80899c2e5cd5416a25b48210. - [Release notes](https://github.com/returntocorp/semgrep-action/releases) - [Changelog](https://github.com/returntocorp/semgrep-action/blob/develop/CHANGELOG.md) - [Commits](returntocorp/semgrep-action@e9c03cf...661b622) --- updated-dependencies: - dependency-name: returntocorp/semgrep-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * Update reusable-semgrep.yml * Pin hash of image --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Wayback Archiver <[email protected]>
wabarc · Feb 6, 2023 · 9790b64 · 9790b64
1 parent 6c526f2
commit 9790b64
Showing 1 changed file with 29 additions and 15 deletions.
diff --git a/.github/workflows/reusable-semgrep.yml b/.github/workflows/reusable-semgrep.yml
@@ -20,6 +20,11 @@ permissions:
 jobs:
   semgrep:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+    container:
+      image: returntocorp/semgrep:sha-293a57f
     env:
       SEMGREP_SEND_METRICS: 'off'
     steps:
@@ -50,27 +55,36 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Run Bug Scan
-        uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9
-        with:
-          config: p/r2c-bug-scan
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/r2c-bug-scan'
 
       - name: Run CI
-        uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9
-        with:
-          config: p/r2c-ci
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/r2c-ci'
 
       - name: Run Best Practices
-        uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9
-        with:
-          config: p/r2c-best-practices
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/r2c-best-practices'
 
       - name: Run Security Audit
-        uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9
-        with:
-          config: p/r2c-security-audit
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/r2c-security-audit'
 
       - name: Run GoSec
-        uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9
-        with:
-          config: p/gosec
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/gosec'
+
+      - name: Run Secrets Detecting
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/secrets'
 
+      - name: Run insecure-transport Detecting
+        run: semgrep ci
+        env:
+          SEMGREP_RULES: 'p/insecure-transport'