From a47d08d42e4f8a6fb7792e0123f51a5c343e6098 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20M=C3=BClbert?=
 <jmuelbert@users.noreply.github.com>
Date: Sun, 29 Oct 2023 11:23:56 +0100
Subject: [PATCH 1/2] add semgrep.yml workflow

---
 .github/workflows/semgrep.yml | 38 +++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 00000000..34bac764
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,38 @@
+---
+# Name of this GitHub Actions workflow.
+name: Semgrep
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  # Täglicher Scan um 17:20 Uhr UTC.
+  schedule:
+    - cron: "20 17 * * *"
+
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+
+    container:
+      image: returntocorp/semgrep
+
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: "🧰 Check out code"
+        uses: actions/checkout@v3
+
+      - name: Run semgrep ci
+        run: semgrep ci --sarif --output=semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep.sarif
+        if: always()

From 3fb3f87a387523a6323a111e4621c714c0b79dd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20M=C3=BClbert?=
 <jmuelbert@users.noreply.github.com>
Date: Wed, 1 Nov 2023 10:07:49 +0100
Subject: [PATCH 2/2] fix: scorecard.yml to hashes

---
 .github/workflows/scorecard.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 3bdc328e..1aa0f03a 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,14 +32,14 @@ jobs:
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@v2
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v3 # v3.1.2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: SARIF file
           path: results.sarif
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2 # v2.2.4
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif