.github/workflows/semgrep-scan.yml

# Ref: https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
name: Semgrep OSS scan

on:
  push:
    branches:
    - "master"
  pull_request:
    branches:
    - "master"

permissions:
  contents: read

jobs:
  semgrep:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    name: semgrep-oss/scan
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run Semgrep OSS scan
        run: semgrep scan --config auto --sarif-output=semgrep.sarif

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
        with:
          sarif_file: semgrep.sarif