name: security on: push: branches: [main] pull_request: workflow_dispatch: jobs: security: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 # GitLeaks нужна полная история # ── 1. Hadolint: проверка Dockerfile ────────────────────────────── # Установка нативного бинаря (act_runner не имеет docker внутри). - name: Install Hadolint run: | if [ -f Dockerfile ]; then curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint chmod +x /usr/local/bin/hadolint fi - name: Run Hadolint run: | if [ -f Dockerfile ]; then hadolint --no-fail Dockerfile || true else echo "No Dockerfile — skip" fi # ── 2. GitLeaks: поиск секретов в истории ───────────────────────── - name: Install GitLeaks run: | curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ | tar -xz -C /usr/local/bin gitleaks chmod +x /usr/local/bin/gitleaks - name: Run GitLeaks run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true # ── 3. Semgrep: SAST ────────────────────────────────────────────── - name: Install Semgrep run: | apt-get update -qq apt-get install -y --no-install-recommends python3-pip python3-venv python3 -m venv /tmp/sg && /tmp/sg/bin/pip install --quiet semgrep ln -sf /tmp/sg/bin/semgrep /usr/local/bin/semgrep - name: Run Semgrep run: | semgrep --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit \ --severity=ERROR --severity=WARNING --no-error --quiet --metrics=off --timeout=120 . || true