-
Notifications
You must be signed in to change notification settings - Fork 9.2k
111 lines (101 loc) · 3.73 KB
/
semgrep-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: Semgrep Checks
on:
push:
branches:
- main
- 'release/**'
pull_request:
paths:
- internal/**
- .semgrep*yml
- .github/workflows/semgrep-ci.yml
## NOTE: !!!
## When changing these workflows, ensure that the following is updated:
## - Documentation: docs/continuous-integration.md
## - Documentation: docs/makefile-cheat-sheet.md
## - Makefile: ./GNUmakefile
env:
SEMGREP_SEND_METRICS: "off"
SEMGREP_ENABLE_VERSION_CHECK: false
SEMGREP_TIMEOUT: 300
SEMGREP_ARGS: --error --quiet
jobs:
semgrep:
name: Code Quality Scan
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: |
semgrep $SEMGREP_ARGS \
--config .ci/.semgrep.yml \
--config .ci/.semgrep-constants.yml \
--config .ci/.semgrep-test-constants.yml \
--config .ci/semgrep/ \
--config 'r/dgryski.semgrep-go.badnilguard' \
--config 'r/dgryski.semgrep-go.errnilcheck' \
--config 'r/dgryski.semgrep-go.marshaljson' \
--config 'r/dgryski.semgrep-go.nilerr' \
--config 'r/dgryski.semgrep-go.oddifsequence' \
--config 'r/dgryski.semgrep-go.oserrors'
naming_cae:
name: Naming Scan Caps/AWS/EC2
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: semgrep --validate --config .ci/.semgrep-caps-aws-ec2.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-caps-aws-ec2.yml
naming_tests:
name: Test Configs Scan
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: semgrep --validate --config .ci/.semgrep-configs.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-configs.yml
naming_semgrep0:
name: Service Name Scan A-C
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: semgrep --validate --config .ci/.semgrep-service-name0.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name0.yml
naming_semgrep1:
name: Service Name Scan C-I
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: semgrep --validate --config .ci/.semgrep-service-name1.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name1.yml
naming_semgrep2:
name: Service Name Scan I-Q
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: semgrep --validate --config .ci/.semgrep-service-name2.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name2.yml
naming_semgrep3:
name: Service Name Scan Q-Z
runs-on: ubuntu-latest
container:
image: "returntocorp/semgrep:1.52.0"
if: (github.action != 'dependabot[bot]')
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: semgrep --validate --config .ci/.semgrep-service-name3.yml
- run: semgrep $SEMGREP_ARGS --config .ci/.semgrep-service-name3.yml