From e5137c7decbbdbeef2a4eb7f394897b4666d1650 Mon Sep 17 00:00:00 2001
From: Aldo <aldo.pedromingo@kape.com>
Date: Thu, 6 Jun 2024 16:41:12 +0200
Subject: [PATCH] PIA-1914: Add semgrep static analyzer to CI

---
 .github/workflows/semgrep.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/semgrep.yaml

diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
new file mode 100644
index 0000000..9a7b04e
--- /dev/null
+++ b/.github/workflows/semgrep.yaml
@@ -0,0 +1,29 @@
+name: Security / Semgrep
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  semgrep:
+    name: Security / Semgrep
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep:1.68.0
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout source repository
+        uses: actions/checkout@v4
+      - name: Scan with Semgrep
+        env:
+          # Connect to Semgrep Cloud Platform
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        run: |
+          semgrep ci \
+            --code \
+            --secrets \
+            --supply-chain \
+            --pro \
+            --no-suppress-errors
\ No newline at end of file