name: Security

on:
  push:
    branches: ["**"]
  pull_request:
    branches: ["**"]
  schedule:
    - cron: '0 6 * * 1'

jobs:
  semgrep:
    name: PHP Security (semgrep)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install semgrep
        run: |
          apt-get update -qq
          apt-get install -y -qq python3 python3-pip
          pip3 install semgrep

      - name: Run semgrep
        run: |
          semgrep --config=p/php --config=p/owasp-top-ten --error \
            --exclude-rule=php.lang.security.injection.echoed-request.echoed-request \
            --exclude-rule=php.lang.security.injection.tainted-filename.tainted-filename \
            --exclude-rule=php.lang.security.injection.tainted-callable.tainted-callable \
            .