# Name of this GitHub Actions workflow.
name: Check-Semgrep

on:
  workflow_call:
  workflow_dispatch:
  schedule:
    - cron: 0 0 * * *
  push:
    branches:
      - "**"
    tags:
      - "v*.*.*"
    paths-ignore:
      - "**/*.md"
      - "**/*.yaml"
  pull_request:
    branches:
      - "**"
    paths-ignore:
      - "**/*.md"
      - "**/*.yaml"

jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-24.04
    container:
      image: semgrep/semgrep:latest
    continue-on-error: true
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@v6
      - run: |
          semgrep ci \
            --config p/ci \
            --config p/security-audit \
            --config p/golang \
            --config p/react \
            --config p/javascript \
            --config p/owasp-top-ten