name: Run Semgrep
on:
  workflow_call:

jobs:
  semgrep:
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Semgrep
        run: | 
          semgrep \
            --sarif --output semgrep.sarif \
            --metrics=off \
            --config="p/default"

      - name: Save report
        uses: actions/upload-artifact@v4
        with:
          name: semgrep.sarif
          path: semgrep.sarif

      - name: Scanning alerts
        uses: github/codeql-action/upload-sarif@v3.25.7
        with:
          sarif_file: semgrep.sarif
          category: semgrep

      - name: Mattermost Notification
        if: always()
        uses: rtCamp/action-slack-notify@v2.2.0
        env:
          SLACK_USERNAME: ${{ github.event.repository.name }}
          SLACK_WEBHOOK: ${{ secrets.mm-sa-wh-url }}
          SLACK_COLOR: ${{ job.status }}
          SLACK_LINK_NAMES: true
          SLACK_FOOTER: ""