name: Semgrep scan

on:
  workflow_dispatch:
  pull_request:
env:
  configs: "rules/ p/ci p/security-audit p/owasp-top-ten"

permissions:
  contents: read
  pull-requests: write

jobs:
  semgrep:
    name: Run Semgrep
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep:1.86
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Fetch the entire history
      - name: Mark the Git repository as safe
        run: |
          git config --global --add safe.directory $GITHUB_WORKSPACE
      - name: Fetch all branches and tags
        run: |
          git fetch --all
          git fetch --tags
      - name: run semgrep
        id: run_semgrep
        env:
          SEMGREP_RULES: ${{ env.configs }}
          SEMGREP_ENABLE_VERSION_CHECK: 0
          SEMGREP_SEND_METRICS: off
        shell: bash
        run: |
          semgrep scan . --error --gitlab-sast -o /tmp/semgrep.json
      - name: Show Semgrep report
        if: success() || failure()
        run: cat /tmp/semgrep.json