ci: semgrep config

.github/workflows/semgrep.yml

@@ -0,0 +1,41 @@
+name: Semgrep
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request: {}
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/semgrep.yml
+  schedule:
+    - cron: '0 0 * * 0'
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v2
+      - name: Get Diff
+        uses: technote-space/[email protected]
+        with:
+          PATTERNS: |
+            **/*.go
+            **/*.js
+            **/*.ts
+            **/*.sol
+            go.mod
+            go.sum
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+           # Upload findings to GitHub Advanced Security Dashboard [step 1/2]
+          # See also the next step.
+          generateSarif: "1"
+        if: "env.GIT_DIFF_FILTERED != ''"
+      # Upload findings to GitHub Advanced Security Dashboard [step 2/2]
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: semgrep.sarif
+        if: "env.GIT_DIFF_FILTERED != ''"

.semgrepignore

@@ -0,0 +1,29 @@
+# Ignore git items
+.gitignore
+.git/
+:include .gitignore
+
+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+*.pb.gw.go
+
+# Common test paths
+test/
+tests/
+*_test.go
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/
+
+# Documentation
+client/docs/