Skip to content

ci: add Semgrep OSS scanning workflow#85

Open
hrushikeshdeshpande wants to merge 1 commit into
masterfrom
hrushikesh/add-semgrep-oss-workflow
Open

ci: add Semgrep OSS scanning workflow#85
hrushikeshdeshpande wants to merge 1 commit into
masterfrom
hrushikesh/add-semgrep-oss-workflow

Conversation

@hrushikeshdeshpande

Copy link
Copy Markdown

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.

What it does

  • Runs on every PR, on push to the main/master branch, and monthly on a staggered schedule.
  • Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
  • Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
  • Runs on ubuntu-slim with contents: read token scope.

For reviewers

  • Findings are informational; the job does not block on findings.
  • First PR after merge installs Semgrep; subsequent PRs skip that step.

See the internal App&ProdSec email for migration context, or ping us internally.

@therandomsecurityguy

Copy link
Copy Markdown
Contributor

This project it dead, @hrushikeshdeshpande. It was rebooted here:

https://github.com/therandomsecurityguy/flan-go-scan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants