Дмитрий
51 lines
1.3 KiB
YAML
51 lines
1.3 KiB
YAML
name: SAST — Semgrep
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'app/app/**'
|
|
- 'app/resources/js/**'
|
|
- 'app/database/migrations/**'
|
|
- '.semgrep.yml'
|
|
- '.github/workflows/sast.yml'
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- 'app/app/**'
|
|
- 'app/resources/js/**'
|
|
- 'app/database/migrations/**'
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
semgrep:
|
|
runs-on: ubuntu-latest
|
|
name: Semgrep SAST scan
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run Semgrep
|
|
uses: semgrep/semgrep-action@v1
|
|
with:
|
|
config: >-
|
|
p/php
|
|
p/javascript
|
|
p/typescript
|
|
p/secrets
|
|
env:
|
|
# SEMGREP_APP_TOKEN — опциональный, для Semgrep Cloud dashboard.
|
|
# Без него: open-source режим, результаты только в GitHub Security tab.
|
|
# Добавить: GitHub → Settings → Secrets → Actions → SEMGREP_APP_TOKEN
|
|
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
|
|
|
|
- name: Upload SARIF to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: semgrep.sarif
|
|
continue-on-error: true
|