feat(security): Hadolint + GitLeaks + Semgrep workflow (Layer C)
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled

Новый workflow .gitea/workflows/security.yml — параллельно с deploy.yml,
запускается на push в main + на PR. Все три инструмента warning-only:

- Hadolint: bad practices в Dockerfile
- GitLeaks: поиск секретов в истории (полный clone fetch-depth: 0)
- Semgrep: SAST с конфигами p/javascript + p/react + p/typescript + p/security-audit

Не блокируют deploy — findings собираются в логи job'а.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Dmitry Gusev
2026-05-24 16:51:01 +03:00
parent b902c28f54
commit 7f891c4759

View File

@@ -0,0 +1,44 @@
name: security
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # GitLeaks хочет полную историю
# ── 1. Hadolint: проверка Dockerfile на bad practices ─────────────
- name: Hadolint
run: |
if [ -f Dockerfile ]; then
docker run --rm -i hadolint/hadolint hadolint --no-fail - < Dockerfile || true
else
echo "No Dockerfile — skip Hadolint"
fi
# ── 2. GitLeaks: поиск секретов в истории ─────────────────────────
- name: GitLeaks
run: |
docker run --rm -v "$(pwd)":/repo zricethezav/gitleaks:latest \
detect --source /repo --no-banner --verbose --redact --exit-code 0 || true
# ── 3. Semgrep: SAST на JavaScript/React/Astro ────────────────────
- name: Semgrep
run: |
docker run --rm -v "$(pwd)":/src returntocorp/semgrep:latest \
semgrep ci \
--config=p/javascript \
--config=p/react \
--config=p/typescript \
--config=p/security-audit \
--severity=ERROR --severity=WARNING \
--no-suppress-errors \
--error=0 || true