fleet/.github/workflows/semgrep-analysis.yml

name: Semgrep

on:
  workflow_dispatch: # (manual dispatch)
  schedule:
    - cron: '0 2 * * *'

permissions:
  contents: read

jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-latest
    steps:
      # Checkout project source
      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2

      # Scan code using project's configuration on https://semgrep.dev/manage
      - uses: returntocorp/semgrep-action@a9f6c903be5b9bc982d6be6f9312146daa4964b5 # v1
        with:
          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
          publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
          # generateSarif: "1"

      # # Upload SARIF file generated in previous step
      # - name: Upload SARIF file
      #   uses: github/codeql-action/upload-sarif@v1
      #   with:
      #     sarif_file: semgrep.sarif
      #   if: always()
Add semgrep scanning configuration (#1571) Runs a nightly semgrep scan. 2021-08-06 01:23:58 +00:00			`name: Semgrep`

			`on:`
Update semgrep configuration (#1581) - Disable sarif generation (may have been causing bug in Semgrep). - Enable manual workflow dispatch. 2021-08-06 17:02:45 +00:00			`workflow_dispatch: # (manual dispatch)`
Add semgrep scanning configuration (#1571) Runs a nightly semgrep scan. 2021-08-06 01:23:58 +00:00			`schedule:`
			`- cron: '0 2 * * *'`

Adding permissions to some workflows (#4698) * Adding permissions to docs.yml and integration.yml * Update codeql-analysis.yml Adding top level read permissions to codeql workflow * Update codeql-analysis.yml Adding manual dispatch to codeql - to be able to test it easier * Update deploy-fleet-website.yml Adding top level read permission + write in the job so it can push the website * Update test-website.yml test-website should only need read permissions on content. * Update fleet-and-orbit.yml Testing Fleet and Orbit should be fine with top level read access * Update fleetctl-preview.yml fleetctl-preview should be fine with just read access at top level * Update push-osquery-perf-to-ecr.yml ECR is out of github so read permissions should be enough * Update semgrep-analysis.yml semgrep should only need read * Update test-packaging.yml Should only need read permission - setting on top * Update test.yml Should not need any write access - setting to READ on top. * Update deploy-fleet-website.yml Removing git write permission - since this pushes to Heroku not GitHub * Tweaked as per Zach's comments Removed some useless restrictions (contents none on a public repo for example) * Removed meaningless permissions contents: none - this does not have any security advantage on a public repo 2022-03-25 18:19:42 +00:00			`permissions:`
			`contents: read`

Add semgrep scanning configuration (#1571) Runs a nightly semgrep scan. 2021-08-06 01:23:58 +00:00			`jobs:`
			`semgrep:`
			`name: Scan`
			`runs-on: ubuntu-latest`
			`steps:`
			`# Checkout project source`
4620 pin action dependencies (#4622) * Update build-binaries.yaml Pin action versions + add read only token to build-binaries.yaml * Update codeql-analysis.yml Pin dependencies with hash for codeql-analysis.yml * Update deploy-fleet-website.yml Pin dependencies in deploy-fleet-website.yml * Update docs.yml Pin dependencies for docs.yml * Update fleet-and-orbit.yml Pinning dependencies for fleet-and-orbit.yml * Update generate-osqueryd-app-tar-gz.yml Pin dependencies for generate-osqueryd-app-tar-gz.yml * Pin dependencies in goreleaser workflows Pinned dependencies in the 3 goreleaser workflows * Update integration.yml Pinned dependencies with hash * Update pr-helm.yaml Pinned dependencies with hash * Update push-osquery-perf-to-ecr.yml Pinned dependencies with a hash * Update release-helm.yaml Pinned one dependency with a hash * Update semgrep-analysis.yml Pinned dependencies with hashes * Update test-go.yaml Pinned dependencies with hash * Update test-packaging.yml Pinned dependencies with hashes * Update test-website.yml Pinned dependencies with hashes * Update test.yml Pinned dependencies with hashes 2022-03-16 19:42:28 +00:00			`- uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2`
Add semgrep scanning configuration (#1571) Runs a nightly semgrep scan. 2021-08-06 01:23:58 +00:00
			`# Scan code using project's configuration on https://semgrep.dev/manage`
Bump returntocorp/semgrep-action (#5259) Bumps [returntocorp/semgrep-action](https://github.com/returntocorp/semgrep-action) from b93bc50eb1bd1a016cf749808608ee465db13f9d to 1. This release includes the previously tagged commit. - [Release notes](https://github.com/returntocorp/semgrep-action/releases) - [Changelog](https://github.com/returntocorp/semgrep-action/blob/develop/CHANGELOG.md) - [Commits](https://github.com/returntocorp/semgrep-action/compare/b93bc50eb1bd1a016cf749808608ee465db13f9d...a9f6c903be5b9bc982d6be6f9312146daa4964b5) --- updated-dependencies: - dependency-name: returntocorp/semgrep-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-04-20 23:45:36 +00:00			`- uses: returntocorp/semgrep-action@a9f6c903be5b9bc982d6be6f9312146daa4964b5 # v1`
Add semgrep scanning configuration (#1571) Runs a nightly semgrep scan. 2021-08-06 01:23:58 +00:00			`with:`
			`publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}`
			`publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}`
Update semgrep configuration (#1581) - Disable sarif generation (may have been causing bug in Semgrep). - Enable manual workflow dispatch. 2021-08-06 17:02:45 +00:00			`# generateSarif: "1"`
Add semgrep scanning configuration (#1571) Runs a nightly semgrep scan. 2021-08-06 01:23:58 +00:00
Update semgrep configuration (#1581) - Disable sarif generation (may have been causing bug in Semgrep). - Enable manual workflow dispatch. 2021-08-06 17:02:45 +00:00			`# # Upload SARIF file generated in previous step`
			`# - name: Upload SARIF file`
			`# uses: github/codeql-action/upload-sarif@v1`
			`# with:`
			`# sarif_file: semgrep.sarif`
			`# if: always()`