Create semgrep.yml #230
Create semgrep.yml #230
Conversation
## What was changed Add Github workflow to scan PRs with Semgrep. ## Why? This will eventually be an org-wide required workflow, but Github won't let us have access to it yet, so this PR manually adds scanning. ## Checklist How was this tested: Added manually in this way to many other repos with no issue.
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## main #230 +/- ##
=======================================
Coverage 64.22% 64.22%
=======================================
Files 13 13
Lines 995 995
=======================================
Hits 639 639
Misses 315 315
Partials 41 41 |
There was a problem hiding this comment.
@jlegrone - For confirmation here, while yes this unfortunately does use a non-public SemGrep thing to check, we have been promised that this won't ever fail a build or anything at least without being notified first. Will wait for your approval.
| name: semgrep/ci | ||
| runs-on: ubuntu-20.04 | ||
| env: | ||
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |
There was a problem hiding this comment.
So this will be unset on PRs from forks, that won't fail PRs right? (sorry, I forget from other repos)
There was a problem hiding this comment.
It shouldn't fail PRs, but if someone went looking in their workflow run logs they would see the job complaining and failing to auth.
What was changed
Add Github workflow to scan PRs with Semgrep.
Why?
This will eventually be an org-wide required workflow, but Github won't let us have access to it yet, so this PR manually adds scanning.
Checklist
How was this tested:
Added manually in this way to many other repos with no issue.