.github/workflows/njsscan.yml

---
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates njsscan with GitHub's Code Scanning feature
# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications

name: njsscan sarif

on:
  push:
    branches:
      - "main"
  pull_request:
    # The branches below must be a subset of the branches above
    branches:
      - "main"
  schedule:
    - cron: "45 12 * * 4"

permissions:
  contents: read

jobs:
  check:
    name: Check
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: read
    steps:
      # Use the gh API to check if the repository has code scanning enabled
      # We can check this at /repos/{owner}/{repo}/code-scanning/alerts
      - name: Check if code scanning is enabled
        id: check
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          status=$(gh api /repos/${{ github.repository }}/code-scanning/alerts -i 2>/dev/null | head -n 1 | awk '{ print $2 }')
          if [[ $status == "200" ]]; then
            echo "enabled=true" >> $GITHUB_OUTPUT
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
          fi
    outputs:
      enabled: ${{ steps.check.outputs.enabled }}
  njsscan:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest
    name: njsscan code scanning
    needs: check
    steps:
      - name: Checkout the code
        if: needs.check.outputs.enabled == 'true'
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: nodejsscan scan
        if: needs.check.outputs.enabled == 'true'
        id: njsscan
        uses: ajinabraham/njsscan-action@c7b65a3590ade829628b2b3c87b34ac0ce666a79
        with:
          args: ". --sarif --output results.sarif || true"
      - name: Upload njsscan report
        if: needs.check.outputs.enabled == 'true'
        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
        with:
          sarif_file: results.sarif