Opengrep Action - Static Analysis in CI

A GitHub composite action that runs Opengrep static analysis in CI with pinned releases and checksum verification, emitting JSON/SARIF for the rest of the pipeline.

View on GitHub → Homepage →

GitHub ActionsOpengrepSARIFCI/CD

Static analysis only pays off if it runs on every change, and the scanner itself has to be trustworthy. Opengrep Action is a GitHub composite action for running Opengrep in CI: it installs a pinned release, verifies it against a committed checksum, validates its inputs, runs the scan, and hands back JSON or SARIF for the rest of your workflow.

It’s published on the GitHub Marketplace as the Opengrep Security Scanner.

Usage

- uses: platform-sec/opengrep-action@<commit-sha>  # pin to a full commit SHA
  with:
    target: .
    output-format: sarif
    strict: true

The SARIF output drops straight into GitHub code scanning; JSON is there when you want to post-process findings yourself.

Key inputs

target: file or directory to scan (default .)
patterns / config: the Opengrep ruleset or config to run (default auto)
output-format: sarif, json, json/sarif, or text
severity: minimum severity to report (INFO / WARNING / ERROR)
include / exclude: glob filters
strict: non-zero exit on findings, to fail the build (default true)
opengrep-version / opengrep-checksum: explicit version pin and SHA-256 verification

Supply-chain posture

The action treats its own execution as security-sensitive: exactly the standard you’d want from a tool sitting in your CI:

Pinned releases of Opengrep rather than floating latest,
Checksum verification of the downloaded binary,
Input validation at the action’s shell boundary,

so the thing scanning your code can’t quietly become a supply-chain weak point itself. MIT licensed; see the repository for the full input reference.