refactor: use reusable workflow for semgrep (#311)

dvarasani-crest · web-flow · commit d875027d91a7 · 2024-08-30T11:35:30.000+02:00
Updated the build-test-release workflow to use [sast-scan](https://github.com/splunk/sast-scanning) owned by product security team instead of using custom implementation. Ref: https://splunk.atlassian.net/browse/ADDON-72309 Test workflow run: https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/10596615468 Tested on PR: splunk/splunk-add-on-for-servicenow#751 Workflow is not tested for the failure scenario because we need to have blocker findings by the semgrep in order to fail the workflow. Currently all rules are in monitor mode so any findings by the semgrep will be non-blocker resulting in semgrep stage to pass everytime. Discussion with the semgrep team: https://splunk.slack.com/archives/C011ELTV7FG/p1724923496371529
diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml
@@ -305,19 +305,11 @@ jobs:
         with:
           extra_args: -x .github/workflows/exclude-patterns.txt --json --only-verified
           version: 3.77.0
-          
+
   semgrep:
-    runs-on: ubuntu-latest
-    name: security-sast-semgrep
-    container:
-      image: returntocorp/semgrep
-    steps:
-      - uses: actions/checkout@v4
-      - name: Semgrep
-        id: semgrep
-        run: semgrep ci
-        env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
+    uses: splunk/sast-scanning/.github/workflows/sast-scan.yml@main
+    secrets:
+      SEMGREP_KEY: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
 
   test-inventory:
     runs-on: ubuntu-latest
