# Name of this GitHub Actions workflow.
name: Semgrep

on:
  pull_request: {}

jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@v4

      - run: semgrep ci
        env:
          SEMGREP_RULES: p/default p/golang p/secrets