refactor: Require ref and clean up a little bit (#56)

* Try without scanner-ref

* Remove scanner-ref from more places

* Add local workflow call

* Remove steps

* Add permissions

* Clean up a bit

* Add ref back

* Specify ref

* Fix monorepo path

* Rename ref back to scanner-ref

* Add analyse code to all-jobs-completed

* Fix consistency

* Update README

* Revert checkout step rename

* Add missing repository

* chore: bump semgrep upload

* Revert MONOREPO_PATH

* Hardcode monorepo path

---------

Co-authored-by: witmicko <witmicko@users.noreply.github.com>
Co-authored-by: witmicko <mjogrodniczak@gmail.com>

Author: Mrtenz

.github/workflows/main.yml

@@ -19,6 +19,16 @@ jobs:
         run: ${{ steps.download-actionlint.outputs.executable }} -color
         shell: bash
 
+  analyse-code:
+    name: Analyse code
+    uses: ./.github/workflows/security-scan.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      scanner-ref: ${{ github.ref }}
+
   build-lint-test:
     name: Build, lint, and test
     uses: ./.github/workflows/build-lint-test.yml
@@ -29,6 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - check-workflows
+      - analyse-code
       - build-lint-test
     outputs:
       PASSED: ${{ steps.set-output.outputs.PASSED }}

.github/workflows/security-scan.yml

@@ -11,12 +11,8 @@ on:
         description: 'Repository that requested the scan'
         required: false
         type: string
-      scanner_ref:
-        description: 'Reference to the scanner repository'
-        required: false
-        type: string
-        default: 'main'
-      languages_config:
+        default: ${{ github.repository }}
+      languages-config:
         description: |
           Optional: JSON array of language configurations to override/supplement repo config file.
           Auto-detects languages and loads repo-specific config from packages/codeql-action/repo-configs/${repo}.cjs.
@@ -38,22 +34,26 @@ on:
         required: false
         type: string
         default: ''
-      paths_ignored:
+      scanner-ref:
+        description: 'The git ref of the scanner to use'
+        required: true
+        type: string
+      paths-ignored:
         description: 'Multi-line list of paths to ignore during scan (one path per line, supports glob patterns)'
         required: false
         type: string
         default: ''
-      rules_excluded:
+      rules-excluded:
         description: 'Comma delimited IDs of rules to exclude'
         required: false
         type: string
         default: ''
-      project_metrics_token:
+      project-metrics-token:
         description: 'Analytics token to log failed builds'
         required: false
         type: string
         default: ''
-      slack_webhook:
+      slack-webhook:
         description: 'Slack webhook for notifications'
         required: false
         type: string
@@ -65,6 +65,7 @@ env:
 jobs:
   # Detect languages and create matrix
   setup:
+    name: Setup
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.detect-languages.outputs.matrix }}
@@ -73,7 +74,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: MetaMask/action-security-code-scanner
-          ref: ${{ inputs.scanner_ref || 'main' }}
+          ref: ${{ inputs.scanner-ref }}
           path: ${{ env.MONOREPO_PATH }}
 
       - name: Checkout target repository
@@ -87,10 +88,11 @@ jobs:
         uses: ./.security-scanner/packages/language-detector
         with:
           repo: ${{ inputs.repo }}
-          languages_config: ${{ inputs.languages_config }}
+          languages_config: ${{ inputs.languages-config }}
 
   # Run CodeQL analysis for each detected language
   codeql-analysis:
+    name: CodeQL analysis
     needs: setup
     if: ${{ fromJSON(needs.setup.outputs.matrix).include[0] != null }}
     strategy:
@@ -106,7 +108,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: MetaMask/action-security-code-scanner
-          ref: ${{ inputs.scanner_ref || 'main' }}
+          ref: ${{ inputs.scanner-ref }}
           path: ${{ env.MONOREPO_PATH }}
 
       - name: Checkout target repository
@@ -120,15 +122,16 @@ jobs:
         with:
           repo: ${{ inputs.repo }}
           language: ${{ matrix.language }}
-          paths_ignored: ${{ inputs.paths_ignored }}
-          rules_excluded: ${{ inputs.rules_excluded }}
+          paths_ignored: ${{ inputs.paths-ignored }}
+          rules_excluded: ${{ inputs.rules-excluded }}
           build_mode: ${{ matrix.build_mode }}
           build_command: ${{ matrix.build_command }}
           version: ${{ matrix.version }}
           distribution: ${{ matrix.distribution }}
 
   # Run Semgrep analysis once for all languages
   semgrep-analysis:
+    name: Semgrep analysis
     needs: setup
     runs-on: ubuntu-latest
     permissions:
@@ -140,7 +143,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: MetaMask/action-security-code-scanner
-          ref: ${{ inputs.scanner_ref || 'main' }}
+          ref: ${{ inputs.scanner-ref }}
           path: ${{ env.MONOREPO_PATH }}
 
       - name: Checkout target repository
@@ -152,19 +155,20 @@ jobs:
       - name: Run Semgrep Analysis
         uses: ./.security-scanner/packages/semgrep-action
         with:
-          paths_ignored: ${{ inputs.paths_ignored }}
+          paths_ignored: ${{ inputs.paths-ignored }}
 
   # Collect results and handle notifications
   finalize:
+    name: Finalize scans and notify
     needs: [codeql-analysis, semgrep-analysis]
     if: always()
     runs-on: ubuntu-latest
     env:
-      SLACK_WEBHOOK: ${{ inputs.slack_webhook }}
-      PROJECT_METRICS_TOKEN: ${{ inputs.project_metrics_token }}
+      SLACK_WEBHOOK: ${{ inputs.slack-webhook }}
+      PROJECT_METRICS_TOKEN: ${{ inputs.project-metrics-token }}
       REPO: ${{ inputs.repo }}
     steps:
-      - name: Determine Overall Scan Success
+      - name: Determine overall scan result
         id: scan-result
         env:
           CODEQL_RESULT: ${{ needs.codeql-analysis.result }}

README.md

@@ -23,9 +23,9 @@ on: [push, pull_request]
 
 jobs:
   security-scan:
-    uses: metamask/security-codescanner-monorepo/.github/workflows/security-scan.yml@main
+    uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2
     with:
-      repo: ${{ github.repository }}
+      scanner-ref: v2
 ```
 
 The workflow will:

packages/semgrep-action/action.yml

@@ -36,7 +36,7 @@ runs:
       continue-on-error: true
 
     - name: Upload Semgrep Results to GitHub
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@v4
       with:
         sarif_file: semgrep-results.sarif
         checkout_path: ${{ github.workspace }}