name: Code Review on: pull_request: branches: ['main'] push: jobs: semgrep: name: Code Scan runs-on: ubuntu-latest container: image: returntocorp/semgrep steps: - name: Checkout code uses: actions/checkout@v3 - run: semgrep ci --exclude 'public/charting_library' env: SEMGREP_RULES: p/typescript sca: name: Dependency Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 # Report all vulnerabilities in CI output - name: Report on all vulnerabilities uses: aquasecurity/trivy-action@master with: scan-type: 'fs' ignore-unfixed: true hide-progress: true format: 'table' # Fail the job on critical vulnerabiliies with fix available - name: Fail on critical vulnerabilities uses: aquasecurity/trivy-action@master with: scan-type: 'fs' ignore-unfixed: true hide-progress: true security-checks: 'vuln' # disable secrets scanning until public format: 'table' severity: 'CRITICAL' exit-code: '1'