From 75b4234668d5674cea87466c9e266f310bfb7131 Mon Sep 17 00:00:00 2001
From: Mark Collao <106274486+mcollao-hc@users.noreply.github.com>
Date: Thu, 13 Jul 2023 13:03:53 -0500
Subject: [PATCH] chore: prefer gosec for semgrep rule and turn on codeql
 (#3418)

---
 .github/workflows/security-scan.yml |  4 +++-
 scan.hcl                            | 11 +++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 492a76b578..ce500ac8a2 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -6,7 +6,9 @@ on:
   pull_request:
     branches:
       - 'main'
-
+    paths-ignore:
+      - 'website/'
+      
 jobs:
   scan:
     runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
diff --git a/scan.hcl b/scan.hcl
index 05c171bfb3..0696e1bb4b 100644
--- a/scan.hcl
+++ b/scan.hcl
@@ -14,12 +14,11 @@ repository {
   
   plugin "semgrep" {
     use_git_ignore = true
-    exclude = ["testing", "website"]
-    config = ["p/r2c-security-audit"]
-    exclude_rule = ["generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var"]
+    exclude = ["*_test.go", "website/*", "testing/*"]
+    config = ["p/gosec"]
   }
   
-  # plugin "codeql" {
-  #  languages = ["go"]
-  # }
+  plugin "codeql" {
+    languages = ["go"]
+   }
 }