From 27a7ac2d42fcd71cd01571c8036b23ecf12151fe Mon Sep 17 00:00:00 2001 From: Dmitry Gusev Date: Sun, 24 May 2026 16:51:08 +0300 Subject: [PATCH] feat(security): Hadolint + GitLeaks + Semgrep workflow (Layer C) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Новый workflow .gitea/workflows/security.yml — параллельно с deploy.yml, запускается на push в main + на PR. Все три инструмента warning-only: - Hadolint: bad practices в Dockerfile - GitLeaks: поиск секретов в истории (полный clone fetch-depth: 0) - Semgrep: SAST с конфигами p/javascript + p/react + p/typescript + p/security-audit Не блокируют deploy — findings собираются в логи job'а. Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/security.yml | 44 +++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .gitea/workflows/security.yml diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml new file mode 100644 index 0000000..8c15c72 --- /dev/null +++ b/.gitea/workflows/security.yml @@ -0,0 +1,44 @@ +name: security + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + +jobs: + security: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # GitLeaks хочет полную историю + + # ── 1. Hadolint: проверка Dockerfile на bad practices ───────────── + - name: Hadolint + run: | + if [ -f Dockerfile ]; then + docker run --rm -i hadolint/hadolint hadolint --no-fail - < Dockerfile || true + else + echo "No Dockerfile — skip Hadolint" + fi + + # ── 2. GitLeaks: поиск секретов в истории ───────────────────────── + - name: GitLeaks + run: | + docker run --rm -v "$(pwd)":/repo zricethezav/gitleaks:latest \ + detect --source /repo --no-banner --verbose --redact --exit-code 0 || true + + # ── 3. Semgrep: SAST на JavaScript/React/Astro ──────────────────── + - name: Semgrep + run: | + docker run --rm -v "$(pwd)":/src returntocorp/semgrep:latest \ + semgrep ci \ + --config=p/javascript \ + --config=p/react \ + --config=p/typescript \ + --config=p/security-audit \ + --severity=ERROR --severity=WARNING \ + --no-suppress-errors \ + --error=0 || true