From 558a47b67040ea3719a9a9475d0601130f10cb28 Mon Sep 17 00:00:00 2001
From: nHackel <nHackel@users.noreply.github.com>
Date: Thu, 14 Nov 2024 13:37:27 +0100
Subject: [PATCH] Attempt at semgrep ci

---
 .github/workflows/Semgrep.yml | 70 +++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 .github/workflows/Semgrep.yml

diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
new file mode 100644
index 0000000..ed6d03a
--- /dev/null
+++ b/.github/workflows/Semgrep.yml
@@ -0,0 +1,70 @@
+# Based on:
+# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#github-actions
+# https://0xdbe.github.io/GitHub-HowToEnableCodeScanningWithSemgrep/
+# https://medium.com/@mostafa.elnakeb/supercharging-your-code-quality-with-semgrep-sast-in-github-actions-c8f30eb26655
+# Name of this GitHub Actions workflow.
+name: Semgrep OSS scan
+
+on:
+  # Scan on-demand through GitHub Actions interface:
+  workflow_dispatch: 
+    branches:
+        - main
+  # Schedule the CI job (this method uses cron syntax):
+  schedule:
+    - cron: '0 0 * * 1' # Run at start of week 
+    
+jobs:
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: semgrep-oss/scan
+    # If you are self-hosting, change the following `runs-on` value: 
+    runs-on: ubuntu-latest
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+        # Checkout the repository.
+      - name: Clone source code
+        uses: actions/checkout@v4
+
+
+        # Checkout custom rules
+      - name: Checkout custom rules
+        uses: actions/checkout@v4
+            with:
+                repository: JuliaComputing/semgrep-rules-julia
+                ref: main
+                path: ./JuliaRules
+
+        # Prepare Python
+      - uses: actions/setup-python@v5
+            with:
+                python-version: '3.10'
+
+        # Install Semgrep
+      - name: Install Semgrep
+        run: python3 -m pip install semgrep
+    
+      - name: Scan with Semgrep
+        run: | 
+            semgrep scan \ 
+                --config ./JuliaRules/rules \
+                --metrics = off \
+                --sarif --output report.sarif
+                --oss-only
+                --exclude=JuliaRules
+    
+      - name: Save Semgrep report
+        use: actions/upload-artifact@v4
+            with:
+                name: report.sarif
+                path: report.sarif
+
+
+      - name: Upload Semgrep report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: report.sarif
+          category: semgrep
\ No newline at end of file