fix(security): nativе binaries вместо docker run (Gitea fix)
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled

Gitea act_runner не имеет docker внутри workflow-контейнера —
"docker not found" маскировался через `|| true`, Layer C по факту
не работал. Заменено на:
- Hadolint v2.12.0 binary (curl + chmod)
- GitLeaks v8.21.2 (tarball)
- Semgrep через python3 venv + pip

Все три по-прежнему warning-only, но теперь реально сканируют.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Dmitry Gusev
2026-05-24 17:49:20 +03:00
parent 7455aadb28
commit 6005ec32f7

View File

@@ -13,32 +13,44 @@ jobs:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
fetch-depth: 0 # GitLeaks хочет полную историю fetch-depth: 0 # GitLeaks нужна полная история
# ── 1. Hadolint: проверка Dockerfile на bad practices ───────────── # ── 1. Hadolint: проверка Dockerfile ──────────────────────────────
- name: Hadolint # Установка нативного бинаря (act_runner не имеет docker внутри).
- name: Install Hadolint
run: | run: |
if [ -f Dockerfile ]; then if [ -f Dockerfile ]; then
docker run --rm -i hadolint/hadolint hadolint --no-fail - < Dockerfile || true curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
chmod +x /usr/local/bin/hadolint
fi
- name: Run Hadolint
run: |
if [ -f Dockerfile ]; then
hadolint --no-fail Dockerfile || true
else else
echo "No Dockerfile — skip Hadolint" echo "No Dockerfile — skip"
fi fi
# ── 2. GitLeaks: поиск секретов в истории ───────────────────────── # ── 2. GitLeaks: поиск секретов в истории ─────────────────────────
- name: GitLeaks - name: Install GitLeaks
run: | run: |
docker run --rm -v "$(pwd)":/repo zricethezav/gitleaks:latest \ curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
detect --source /repo --no-banner --verbose --redact --exit-code 0 || true | tar -xz -C /usr/local/bin gitleaks
chmod +x /usr/local/bin/gitleaks
# ── 3. Semgrep: SAST на JavaScript/React/Astro ──────────────────── - name: Run GitLeaks
- name: Semgrep run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true
# ── 3. Semgrep: SAST ──────────────────────────────────────────────
- name: Install Semgrep
run: | run: |
docker run --rm -v "$(pwd)":/src returntocorp/semgrep:latest \ apt-get update -qq
semgrep ci \ apt-get install -y --no-install-recommends python3-pip python3-venv
--config=p/javascript \ python3 -m venv /tmp/sg && /tmp/sg/bin/pip install --quiet semgrep
--config=p/react \ ln -sf /tmp/sg/bin/semgrep /usr/local/bin/semgrep
--config=p/typescript \
--config=p/security-audit \ - name: Run Semgrep
--severity=ERROR --severity=WARNING \ run: |
--no-suppress-errors \ semgrep --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit \
--error=0 || true --severity=ERROR --severity=WARNING --no-error --quiet --metrics=off --timeout=120 . || true