name: SAST — Semgrep

on:
  push:
    branches: [main]
    paths:
      - 'app/app/**'
      - 'app/resources/js/**'
      - 'app/database/migrations/**'
      - '.semgrep.yml'
      - '.github/workflows/sast.yml'
  pull_request:
    branches: [main]
    paths:
      - 'app/app/**'
      - 'app/resources/js/**'
      - 'app/database/migrations/**'

permissions:
  contents: read
  security-events: write

jobs:
  semgrep:
    runs-on: ubuntu-latest
    name: Semgrep SAST scan

    steps:
      - uses: actions/checkout@v4

      - name: Run Semgrep
        uses: semgrep/semgrep-action@v1
        with:
          config: >-
            p/php
            p/javascript
            p/typescript
            p/secrets
        env:
          # SEMGREP_APP_TOKEN — опциональный, для Semgrep Cloud dashboard.
          # Без него: open-source режим, результаты только в GitHub Security tab.
          # Добавить: GitHub → Settings → Secrets → Actions → SEMGREP_APP_TOKEN
          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

      - name: Upload SARIF to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: semgrep.sarif
        continue-on-error: true