Skip to content

chore(deps): bump the dependencies group with 1 update #92

chore(deps): bump the dependencies group with 1 update

chore(deps): bump the dependencies group with 1 update #92

Workflow file for this run

# PR単位で差分があるファイルに対してSemgrep(SASTツール)を実行し、
# 脆弱性につながる可能性のある記述をPRコメントで指摘するワークフローです
# 詳細は以下のドキュメントをご参照ください
# https://andpad-dev.esa.io/posts/8984
name: semgrep
on:
pull_request
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
semgrep:
name: semgrep
runs-on: ubuntu-latest
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- name: Check out code
uses: actions/checkout@v4 # v3.5.3
with:
fetch-depth: 0
- uses: reviewdog/action-setup@80a06617492b461a66508e2dedf16233f0506804 # v1.0.6
- id: changed-files
uses: tj-actions/changed-files@a21a533a0c244a27daac02f9dc6fcf8aeb996154 # v39.1.1
- id: run-semgrep
if: steps.changed-files.outputs.all_changed_files_count != '0'
name: Run semgrep
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run \
-v $(pwd):/workdir \
--workdir /workdir \
returntocorp/semgrep:1.27.0@sha256:7026020ebb6c1aa477431a2ba550df3ae4d080822e391d03bb816eeac700a36b \
semgrep scan --config auto --severity WARNING --json ${{ steps.changed-files.outputs.all_changed_files }} \
| jq -r '.results[] | "\(.path):\(.start.line):\(.start.col): \(.extra.message)"' \
| sed 's#^/workdir/##' \
| reviewdog \
-efm="%f:%l:%c: %m" \
-diff="git diff FETCH_HEAD" \
-level=warning \
-reporter=github-pr-review