diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..9163274 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,59 @@ +name: security + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + schedule: + # Каждый понедельник 03:00 UTC — независимый weekly scan + - cron: '0 3 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + hadolint: + runs-on: ubuntu-latest + if: hashFiles('Dockerfile') != '' + steps: + - uses: actions/checkout@v4 + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + failure-threshold: error + continue-on-error: true + + gitleaks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + semgrep: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep:latest + steps: + - uses: actions/checkout@v4 + - run: semgrep ci --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit + continue-on-error: true + + trivy: + runs-on: ubuntu-latest + if: hashFiles('Dockerfile') != '' + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@master + with: + scan-type: fs + scan-ref: . + severity: HIGH,CRITICAL + ignore-unfixed: true + exit-code: '0'