fix: Semgrep CI integration (#315)

son-oz · web-flow · commit a2bc23baa276 · 2025-07-18T08:23:59.000-04:00
Fix Semgrep CI integration
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -2,7 +2,7 @@ name: Semgrep
 
 on:
   # Scan changed files in PRs (diff-aware scanning):
-  pull_request: {}
+  pull_request_target: {}
   # Scan on-demand through GitHub Actions interface:
   workflow_dispatch: {}
   # Scan mainline branches and report all findings:
@@ -18,8 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      contents: read
-      actions: read
+      # contents: read
+      # actions: read
 
     container:
       image: semgrep/semgrep@sha256:85f9de554201cc891c470774bb93a7f4faf41ea198ddccc34a855b53f7a51443  # v1.127.1
@@ -39,7 +39,10 @@ jobs:
         env:
           # Connect to Semgrep AppSec Platform through your SEMGREP_APP_TOKEN.
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-
+          # Do not check for new version
+          SEMGREP_ENABLE_VERSION_CHECK: 0
+          # No metrics
+          SEMGREP_SEND_METRICS: no
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e  # v3.28.19
         with:
