diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000000..9570d52ddc --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,41 @@ +name: Semgrep +on: + # Scan changed files in PRs, block on new issues only (existing issues ignored) + pull_request: {} + push: + branches: + - main + paths: + - .github/workflows/semgrep.yml + schedule: + - cron: '0 0 * * 0' +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + if: (github.actor != 'dependabot[bot]') + steps: + - uses: actions/checkout@v2 + - name: Get Diff + uses: technote-space/get-diff-action@v6.0.1 + with: + PATTERNS: | + **/*.go + **/*.js + **/*.ts + **/*.sol + go.mod + go.sum + - uses: returntocorp/semgrep-action@v1 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + # Upload findings to GitHub Advanced Security Dashboard [step 1/2] + # See also the next step. + generateSarif: "1" + if: "env.GIT_DIFF_FILTERED != ''" + # Upload findings to GitHub Advanced Security Dashboard [step 2/2] + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: semgrep.sarif + if: "env.GIT_DIFF_FILTERED != ''" diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000000..cb655af10c --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,29 @@ +# Ignore git items +.gitignore +.git/ +:include .gitignore + +# Common large paths +node_modules/ +build/ +dist/ +vendor/ +.env/ +.venv/ +.tox/ +*.min.js +*.pb.gw.go + +# Common test paths +test/ +tests/ +*_test.go + +# Semgrep rules folder +.semgrep + +# Semgrep-action log folder +.semgrep_logs/ + +# Documentation +client/docs/ \ No newline at end of file