name: Semgrep Security Scan

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

permissions:
  contents: read

jobs:
  semgrep-security-scan:
    name: Semgrep Security Scan
    runs-on: ubuntu-latest
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      # Fetch project source
      - uses: actions/checkout@v2

      - uses: returntocorp/semgrep-action@v1
        with:
          config: >- # more at semgrep.dev/explore
            p/security-audit
            p/secrets
            p/phpcs-security-audit
        env:
          SEMGREP_TIMEOUT: 9900