diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 00000000..86672638 --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,26 @@ +name: SAST + +on: + pull_request: {} + push: + branches: + - master + workflow_dispatch: {} + + +jobs: + semgrep: + name: Semgrep SAST + runs-on: ubuntu-latest + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v4 + - uses: Kong/public-shared-actions/security-actions/semgrep@bd3d75259607dd015bea3b3313123f53b80e9d7f