org rules

eloymg · eloymg · commit 6906cede927e · 2026-02-18T15:00:34.000+01:00
diff --git a/.github/workflows/semprep.yaml b/.github/workflows/semprep.yaml
@@ -1,4 +1,4 @@
-name: zizmor GitHub Actions static analysis
+name: Semgrep static analysis
 on:
   push:
   pull_request:
@@ -22,7 +22,15 @@ jobs:
       # A Docker image with Semgrep installed. Do not change this.
       image: semgrep/semgrep
     steps:
-      # Fetch project source with GitHub Actions Checkout. Use either v3 or v4.
+      # Fetch project source with GitHub Actions Checkout.
       - uses: actions/checkout@v4
-      # Run the "semgrep scan" command on the command line of the docker image.
-      - run: semgrep scan --config auto
+
+      # Fetch org-wide custom Semgrep rules from the central repository.
+      - uses: actions/checkout@v4
+        with:
+          repository: grafana/security-github-actions
+          path: .semgrep-org-rules
+          sparse-checkout: sempgrep/custom-rules.yaml
+
+      # Run semgrep with: auto rules + org-wide shared rules
+      - run: semgrep scan --config auto --config .semgrep-org-rules/.semgrep/
diff --git a/semgrep/custom-rules.yaml b/semgrep/custom-rules.yaml
@@ -0,0 +1,13 @@
+rules:
+  - id: deny-actions-create-github-app-token
+    patterns:
+      - pattern-regex: "uses:\\s*actions/create-github-app-token"
+    paths:
+      include:
+        - "*.yaml"
+        - "*.yml"
+    message: >
+      Do not use actions/create-github-app-token. Use the organization's
+      approved alternative for generating GitHub App tokens.
+    languages: [generic]
+    severity: ERROR
