name: Insecure API check
on:
  pull_request:
    branches:
      - master
      - 'release/**'
      - 'maintainers/**'

permissions:  
  contents: read

jobs:
  insecure-api:
    name: check-insecure-api
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
    steps:
      - name: Checkout Falco ⤵️
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
          fetch-depth: 0
      - name: Scan PR for insecure API usage 🕵️
        run: |
          semgrep scan \
            --error \
            --metrics=off \
            --baseline-commit ${{ github.event.pull_request.base.sha }} \
            --config=./semgrep