Semgrep CE scan workflow (pwndoc/pwndoc)
The Semgrep CE scan workflow from pwndoc/pwndoc, explained and optimized by Latchkey.
C
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Semgrep CE scan workflow from the pwndoc/pwndoc repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
workflow (.yml)
# Name of this GitHub Actions workflow.
name: Semgrep CE scan
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
# Scan on-demand through GitHub Actions interface:
workflow_dispatch: {}
# Scan mainline branches and report all findings:
push:
branches: ["master", "main"]
# Schedule the CI job (this method uses cron syntax):
schedule:
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
# It is recommended to change the schedule to a random time.
permissions:
contents: read
jobs:
semgrep:
# User definable name of this GitHub Actions job.
name: semgrep-oss/scan
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: semgrep/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout. Use either v3 or v4.
- uses: actions/checkout@v4
# Run the "semgrep scan" command on the command line of the docker image.
- run: semgrep scan --config auto
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
# Name of this GitHub Actions workflow. name: Semgrep CE scan on: # Scan changed files in PRs (diff-aware scanning): pull_request: {} # Scan on-demand through GitHub Actions interface: workflow_dispatch: {} # Scan mainline branches and report all findings: push: branches: ["master", "main"] # Schedule the CI job (this method uses cron syntax): schedule: - cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC. # It is recommended to change the schedule to a random time. permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: semgrep: timeout-minutes: 30 # User definable name of this GitHub Actions job. name: semgrep-oss/scan # If you are self-hosting, change the following `runs-on` value: runs-on: latchkey-small container: # A Docker image with Semgrep installed. Do not change this. image: semgrep/semgrep # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') steps: # Fetch project source with GitHub Actions Checkout. Use either v3 or v4. - uses: actions/checkout@v4 # Run the "semgrep scan" command on the command line of the docker image. - run: semgrep scan --config auto
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.