From 9058aa20993e8f86ba71be400b6a972478e991a5 Mon Sep 17 00:00:00 2001
From: Malhar Khimsaria <kmalhar@amazon.com>
Date: Thu, 14 Apr 2022 15:04:40 -0400
Subject: [PATCH] chore: enable semgrep

---
 .github/workflows/semgrep-analysis.yml | 36 ++++++++++++++++++++++++++
 .semgrepignore                         |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 .github/workflows/semgrep-analysis.yml
 create mode 100644 .semgrepignore

diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
new file mode 100644
index 000000000..783c5acbe
--- /dev/null
+++ b/.github/workflows/semgrep-analysis.yml
@@ -0,0 +1,36 @@
+name: Semgrep
+
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request:
+
+  push:
+    branches: ["dev", "main"]
+
+  schedule:
+    - cron: '23 20 * * 1'
+
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@v3
+
+      - run: semgrep scan --sarif --output=semgrep.sarif
+        env:
+          SEMGREP_RULES: >- # more at semgrep.dev/explore
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
\ No newline at end of file
diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 000000000..ac7191dd2
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1 @@
+testapps/
\ No newline at end of file