.github/workflows: add semgrep.yml for SAST

.github/workflows/semgrep.yml

@@ -0,0 +1,58 @@
+# REV 1.7
+# 1.0 - initial release
+# 1.1 - updated container image address to point to internal cache harbor
+# 1.2 - implementing REV version(s) for quick version validation/comparison
+# 1.3 - implementing reusable workflow
+# 1.4 - implementing auto tagging feature and command flag support (https://github.com/intel-innersource/frameworks.actions.semgrep-auto-tag-scan)
+# 1.5 - implementing feature to fail pull request if specified number of high and/or medium findings are present and allow user to input prod branch
+# 1.6 - implementing multi-tag support
+# 1.7 - use main branch's workflow instead of specified version
+
+# Name of this GitHub Actions workflow.
+name: Semgrep SAST
+on:
+  # Scan changed files in PRs (diff-aware scanning):
+  pull_request: {}
+
+  # Scan on-demand through GitHub Actions interface:
+  workflow_dispatch: {}
+
+  # Scan mainline branches and report all findings:
+  # Ensure you have the correct branch/es for your project
+  # Recommend only setting the default branch on push, or branches you push to frequently
+  push:
+    branches: ["main"]
+
+  # Schedule the CI job (this method uses cron syntax):
+  #schedule:
+    #- cron: '0 0 1 * *' # Sets Semgrep to scan on the 1st of every month at 12:00 AM UTC.
+    # It is recommended to change the schedule to a random time.
+
+jobs:
+  Call-Workflow:
+    uses: kangkaihui/xFasterTransformer/.github/workflows/semgrep.yml@main
+    with:
+      # (Required) Please insert the runner group for your project
+      # Example: runner-group: 'innersource.prod.amr.dind'
+      runner-group: 'innersource.prod.amr.dind'
+      # (Optional) Please insert the IAPM ID of the application here
+      # If you have more than 1 IAPM ID, please separate them with a comma
+      # If at least 1 ID has not been entered the auto-tagging feature will not work
+      iapm-ids: ''
+      # (Optional) Please insert the branch that should be tagged as "prod"
+      prod-branch: 'main'
+      # (Optional) Please indicate if this should be calculated for ASPN scoring entering true
+      # If set to true, the default branch will be tagged as prod and all other branches will be tagged as dev
+      prod-scan: 'true'
+      # (Optional) Enter any option command flags for debugging the scan or obtaining additional details
+      # Example: '--verbose --max-target-bytes=500000'
+      semgrep-flags: ''
+      # (Optional) Enter the max number of high serverity findings to tolerate before failing a PR
+      max-high-severity: ''
+      # (Optional) Enter the max number of medium severity findings to tolerate before failing a PR
+      max-medium-severity: ''
+      # (Optional) If you would like to tag your project with something other than the IAPM ID
+      # You can enter them here separated by a comma
+      other-tags: ''
+    secrets:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}