name: Semgrep SAST

on:
    pull_request:
        branches: [main]
    schedule:
        - cron: "0 3 * * 1" # Weekly on Monday at 3am UTC
    workflow_dispatch:

env:
    GIT_SSL_NO_VERIFY: "true"
    NODE_TLS_REJECT_UNAUTHORIZED: "0"

jobs:
    semgrep:
        runs-on: ubuntu-latest
        timeout-minutes: 15

        container:
            image: returntocorp/semgrep

        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Run Semgrep
              run: >
                  semgrep scan
                  --config p/auto
                  --config p/owasp-top-ten
                  --config p/r2c-security-audit
                  --error
                  --json
                  --output semgrep-results.json
                  .
              continue-on-error: true

            - name: Upload Semgrep results
              if: always()
              uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
              with:
                  name: semgrep-results
                  path: semgrep-results.json
                  retention-days: 30