ci: Use new semgrep configuration

[Czaki]

Summary by CodeRabbit

• Chores
  • Updated the CI workflow to enhance code scanning processes.
  • Added manual trigger option for the workflow.
  • Improved CI performance by skipping unnecessary runs for automated dependency updates.
  • Upgraded version control actions for better compatibility and security.
  • Integrated with Semgrep Cloud for advanced code analysis features.

[coderabbitai]

Walkthrough

The GitHub Actions workflow for Semgrep has been updated to include manual triggers, better integration with Semgrep Cloud, and optimizations for CI/CD. The job has been renamed, the Docker image reference updated, and a new conditional check has been added to skip analysis on dependabot PRs. The checkout action has been downgraded for compatibility, and the Semgrep execution command has been modified to use a direct invocation within the Docker image.

Changes

File Path	Change Summary
.github/workflows/semgrep.yml	- Added workflow_dispatch trigger - Renamed job to "semgrep/ci" - Updated Docker image reference to returntocorp/semgrep - Added conditional check for dependabot[bot] - Downgraded actions/checkout to v3 - Replaced Semgrep action with custom command - Added SEMGREP_APP_TOKEN environment variable

Poem

🐇✨
In the realm of code, where the checks do leap,
A rabbit hopped in, with a bound so deep.
"To the cloud!" it cheered, with a joyful tweak,
"Let's scan our code, every commit, every week!"
🌟🚀

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• If you reply to a review comment from CodeRabbit, the bot will automatically respond.
• To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
• Note: Review comments are made on code diffs or files, not on the PR overview.
• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between b301c39 and daebb94.

Files selected for processing (1)

• .github/workflows/semgrep.yml (2 hunks)

Additional comments: 3

.github/workflows/semgrep.yml (3)

• 1-5: The addition of workflow_dispatch allows for manual triggering of the workflow, which aligns with the PR objectives.

• 14-38: The job renaming, Docker image reference update, conditional check for dependabot[bot], actions/checkout version change, and the addition of SEMGREP_APP_TOKEN are all in line with the PR objectives.

• 33-33: The replacement of the returntocorp/semgrep-action@v1 step with the custom command semgrep ci is consistent with the PR objectives.