[PR #877] ci: add Semgrep OSS scanning workflow #915

New issue

Open

opened 2026-05-06 13:10:49 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:10:49 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/877
Author: @hrushikeshdeshpande
Created: 4/23/2026
Status: 🔄 Open

Base: main ← Head: hrushikesh/add-semgrep-oss-workflow

📝 Commits (1)

7a9594d ci: add Semgrep OSS scanning workflow

📊 Changes

1 file changed (+30 additions, -0 deletions)

View changed files

➕ .github/workflows/semgrep.yml (+30 -0)

📄 Description

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.

What it does

Runs on every PR, on push to the main/master branch, and monthly on a staggered schedule.
Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
Runs on ubuntu-slim with contents: read token scope.

For reviewers

Findings are informational; the job does not block on findings.
First PR after merge installs Semgrep; subsequent PRs skip that step.

See the internal App&ProdSec email for migration context, or ping us internally.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/877 **Author:** [@hrushikeshdeshpande](https://github.com/hrushikeshdeshpande) **Created:** 4/23/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `hrushikesh/add-semgrep-oss-workflow` --- ### 📝 Commits (1) - [`7a9594d`](https://github.com/cloudflare/vinext/commit/7a9594d68834be1bd013fa7ddbade755fb2e8b72) ci: add Semgrep OSS scanning workflow ### 📊 Changes **1 file changed** (+30 additions, -0 deletions) <details> <summary>View changed files</summary> ➕ `.github/workflows/semgrep.yml` (+30 -0) </details> ### 📄 Description ## Summary Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE. ## What it does - Runs on every PR, on `push` to the main/master branch, and monthly on a staggered schedule. - Uses `actions/cache@v5` so `pip install semgrep` only runs on cold cache (first run, version bump, or 7-day idle). - Pinned to `semgrep==1.160.0` with `--config=auto` (default OSS ruleset). - Runs on `ubuntu-slim` with `contents: read` token scope. ## For reviewers - Findings are informational; the job does not block on findings. - First PR after merge installs Semgrep; subsequent PRs skip that step. See the internal App&ProdSec email for migration context, or ping us internally. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>