Skip to content

CI: migrate off the archived semgrep/semgrep-action #196

Description

@pmatos

Follow-up from #192. zizmor's archived-uses audit (High confidence) flags semgrep/semgrep-action as coming from an archived repository — it will not receive security updates.

It is currently allow-listed in .github/zizmor.yml (with a rationale comment) so the workflow-lint job stays green. Migrating changes an existing, green scan job, so it was kept separate from the hardening PR.

  • Replace semgrep/semgrep-action@v1 with the semgrep CLI (e.g. run semgrep scan --config auto --error via uvx semgrep or the pinned-by-digest semgrep/semgrep container), preserving config: auto and the gating behavior.
  • Confirm the scan stays green (no new blocking findings, submodules excluded).
  • Remove the archived-uses ignore from .github/zizmor.yml.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions