From feda56146aa626446abaff95e60eb56445721e27 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Thu, 2 Jul 2026 10:51:11 -0700 Subject: [PATCH] ci: add xgrep security scan workflow --- .github/workflows/security.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..4906d93 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,28 @@ +name: security + +on: + push: + branches: [main] + pull_request: + +permissions: + contents: read + security-events: write + +jobs: + xgrep: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + fetch-depth: 0 # full history so PR scans are diff-aware + - uses: mondoohq/actions/xgrep@b41754752763419780430abef5e35842ba2bec66 # v13.2.0 + with: + # Report-only to start: findings land in the Security tab without + # blocking merges. Tighten to "error" once the baseline is triaged. + fail-on: off + - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + if: always() + with: + sarif_file: results.sarif + category: xgrep