CI: run Semgrep via Docker (security-audit + php)

mowens3 · mowens3 · commit 7f1717cb40f8 · 2026-01-02T09:58:40.000-08:00
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -20,13 +20,16 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run Semgrep
-        uses: returntocorp/semgrep-action@v1
-        with:
-          config: p/security-audit
-          generateSarif: "1"
+        run: |
+          docker run --rm -v "$PWD":/src -w /src returntocorp/semgrep:latest \
+            semgrep \
+              --config p/security-audit \
+              --config p/php \
+              --sarif \
+              --output semgrep.sarif \
+              --metrics off
 
       - name: Upload SARIF
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: semgrep.sarif
-
