chore: Enable code scanning via Semgrep

.github/workflows/semgrep-analysis.yml

@@ -0,0 +1,39 @@
+name: Semgrep
+
+on:
+ # Scan changed files in PRs, block on new issues only (existing issues ignored)
+ pull_request:
+
+ push:
+ branches: ["dev", "main"]
+
+ schedule:
+ - cron: '23 20 * * 1'
+
+ # Manually trigger the workflow
+ workflow_dispatch:
+
+jobs:
+ semgrep:
+ name: Scan
+ runs-on: ubuntu-latest
+ container:
+ image: returntocorp/semgrep
+ # Skip any PR created by dependabot to avoid permission issues
+ if: (github.actor != 'dependabot[bot]')
+ steps:
+ # Fetch project source
+ - uses: actions/checkout@v4
+
+ - run: semgrep scan --sarif --output=semgrep.sarif
+ env:
+ SEMGREP_RULES: >- # more at semgrep.dev/explore
+ p/security-audit
+ p/secrets
+ p/owasp-top-ten
+
+ - name: Upload SARIF file for GitHub Advanced Security Dashboard
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: semgrep.sarif
+ if: always()

.semgrepignore

@@ -0,0 +1,2 @@
+/sampleapps
+/test