Skip to content

security: container + CI hardening — .dockerignore, SHA-pin actions, drop sudo/C_FORCE_ROOT, no-new-privileges (F-012..F-017) #1000

security: container + CI hardening — .dockerignore, SHA-pin actions, drop sudo/C_FORCE_ROOT, no-new-privileges (F-012..F-017)

security: container + CI hardening — .dockerignore, SHA-pin actions, drop sudo/C_FORCE_ROOT, no-new-privileges (F-012..F-017) #1000

Workflow file for this run

name: Semgrep
permissions:
contents: read
security-events: write
on:
pull_request: {}
push:
branches:
- main
paths:
- .github/workflows/semgrep.yml
schedule:
# random HH:MM to avoid a load spike on GitHub Actions at 00:00
- cron: 0 7 * * *
jobs:
semgrep:
name: Scan
runs-on: ubuntu-20.04
container:
image: returntocorp/semgrep:1.166.0
if: (github.actor != 'dependabot[bot]')
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- run: semgrep --error --config "p/cwe-top-25" --config "p/owasp-top-ten" --config "p/r2c-security-audit"