-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Semgrep to new container version #2140
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR @GeekMasher! I noticed the following from the Semgrep documentation. Would you confirm if that's intended for this workflow? Specifically the conflict between rules and the app token defined in the same workflow.
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable. | ||
# more at semgrep.dev/explore | ||
SEMGREP_RULES: p/default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable. | |
# more at semgrep.dev/explore | |
SEMGREP_RULES: p/default |
Noting that SEMGREP_RULES
should not be set in the same job as SEMGREP_APP_TOKEN
, per the latest docs: https://semgrep.dev/docs/semgrep-ci/ci-environment-variables/#semgrep_app_token
This pull request has become stale and will be closed automatically within a period of time. Sorry about that. |
schedule: | ||
- cron: $cron-weekly | ||
# Scan on-demand through GitHub Actions interface: | ||
workflow_dispatch: {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
workflow_dispatch: {} | |
workflow_dispatch: |
Pre-requisites
Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.
Tasks
For all workflows, the workflow:
.yml
file with the language or platform as its filename, in lower, kebab-cased format (for example,docker-image.yml
). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET").GITHUB_TOKEN
so that the workflow runs successfully.For CI workflows, the workflow:
ci
directory.ci/properties/*.properties.json
file (for example,ci/properties/docker-publish.properties.json
).push
tobranches: [ $default-branch ]
andpull_request
tobranches: [ $default-branch ]
.release
withtypes: [ created ]
.docker-publish.yml
).For Code Scanning workflows, the workflow:
code-scanning
directory.code-scanning/properties/*.properties.json
file (for example,code-scanning/properties/codeql.properties.json
), with properties set as follows:name
: Name of the Code Scanning integration.creator
: Name of the organization/user producing the Code Scanning integration.description
: Short description of the Code Scanning integration.categories
: Array of languages supported by the Code Scanning integration.iconName
: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in theicons
directory.push
tobranches: [ $default-branch, $protected-branches ]
andpull_request
tobranches: [ $default-branch ]
. We also recommend aschedule
trigger ofcron: $cron-weekly
(for example,codeql.yml
).Some general notes:
actions
organization, or