Implement automatic static code scan with Semgrep

.github/workflows/sast_semgrep_full.yml

@@ -0,0 +1,44 @@
+---
+name: Semgrep Full Scan
+
+on:
+  workflow_dispatch:
+    branches:
+      - main
+  schedule:
+    - cron:  '0 1 * * 6'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+
+        # step 1
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        # step 2
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep

.github/workflows/sast_semgrep_pull.yml

@@ -0,0 +1,28 @@
+---
+name: Semgrep Differential Scan
+on:
+  pull_request
+
+jobs:
+
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+
+      # step 1
+      - name: clone application source code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # step 2
+      - name: differential scan
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config="p/default"