diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml new file mode 100644 index 0000000..eacdbdd --- /dev/null +++ b/.github/workflows/code-scanning.yml @@ -0,0 +1,56 @@ +name: "Code Analysis" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '0 0 * * 1' # Runs every Monday at midnight, this is to ensure that there is at least 1 scan every 7 days. + + workflow_dispatch: + + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze Scala + runs-on: 'ubuntu-latest' + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: 'false' + + - name: Clone Forked Rules Repo + uses: actions/checkout@v4 + with: + repository: 'Iterable/semgrep-rules' + path: 'scala-security' + + - name: Run Semgrep using Forked Rules + uses: semgrep/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d + with: + config: "scala-security/scala" + generateSarif: "1" + + - name: Upload SARIF results to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: semgrep.sarif + category: semgrep diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml index fce7045..2dcecc2 100644 --- a/.github/workflows/dependency-graph.yml +++ b/.github/workflows/dependency-graph.yml @@ -23,7 +23,7 @@ jobs: distribution: temurin java-version: 21 cache: sbt - - uses: sbt/setup-sbt@dd1ef7d7798fab5ce802a6adab3b782817b8c2d0 # v1 + - uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 - name: Upload dependency graph uses: scalacenter/sbt-dependency-submission@f43202114d7522a4b233e052f82c2eea8d658134 # v3.2.1 diff --git a/.github/workflows/publish-github-packages.yml b/.github/workflows/publish-github-packages.yml index d51428b..c9f62bd 100644 --- a/.github/workflows/publish-github-packages.yml +++ b/.github/workflows/publish-github-packages.yml @@ -30,7 +30,7 @@ jobs: distribution: temurin java-version: 21 cache: sbt - - uses: sbt/setup-sbt@dd1ef7d7798fab5ce802a6adab3b782817b8c2d0 # v1 + - uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 - name: Publish shell: bash diff --git a/.github/workflows/scala.yml b/.github/workflows/scala.yml index e793352..7c623a2 100644 --- a/.github/workflows/scala.yml +++ b/.github/workflows/scala.yml @@ -26,7 +26,7 @@ jobs: distribution: temurin java-version: 21 cache: sbt - - uses: sbt/setup-sbt@dd1ef7d7798fab5ce802a6adab3b782817b8c2d0 # v1 + - uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 - name: Build and test shell: bash @@ -44,7 +44,7 @@ jobs: distribution: temurin java-version: 21 cache: sbt - - uses: sbt/setup-sbt@dd1ef7d7798fab5ce802a6adab3b782817b8c2d0 # v1 + - uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 - name: Build docs shell: bash