name: Semgrep on: pull_request: {} push: branches: - master paths: - .github/workflows/semgrep.yml schedule: # Weekly - cron: "0 0 * * 0" jobs: semgrep: name: Scan runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: image: returntocorp/semgrep if: (github.actor != 'dependabot[bot]') steps: - uses: actions/checkout@v4 - run: semgrep ci