Merge pull request RasaHQ#11930 from RasaHQ/INFRA-180-introduce-semgr…

…ep-scanning-for-git-hub-actions-workflows-in-the-rasa-oss-repo Add semgrep github action
FGA-GCES · Jan 12, 2023 · 39dc806 · 39dc806
2 parents ca017d6 + 3497fd9
commit 39dc806
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/.github/workflows/semgrep-check.yml b/.github/workflows/semgrep-check.yml
@@ -0,0 +1,33 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep
+
+on:
+  # Scan mainline branches and report all findings:
+  push:
+    branches:
+      - main
+  # Scan changed files in PRs (diff-aware scanning):
+  pull_request:
+
+jobs:
+  semgrep:
+    # User-definable name of this GitHub Actions job:
+    name: Semgrep Workflow Security Scan
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: ubuntu-22.04
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep@sha256:37736e4992c539f760e36e14d48924bd9fa70d0abbde39a6d86d93f66a1affd4
+
+    # To skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep ci
+        env:
+          # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
+          SEMGREP_RULES: p/github-actions