feat(security): Hadolint + GitLeaks + Semgrep workflow (Layer C)
Новый workflow .gitea/workflows/security.yml — параллельно с deploy.yml, запускается на push в main + на PR. Все три инструмента warning-only: - Hadolint: bad practices в Dockerfile - GitLeaks: поиск секретов в истории (полный clone fetch-depth: 0) - Semgrep: SAST с конфигами p/javascript + p/react + p/typescript + p/security-audit Не блокируют deploy — findings собираются в логи job'а. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
44
.gitea/workflows/security.yml
Normal file
44
.gitea/workflows/security.yml
Normal file
@@ -0,0 +1,44 @@
|
||||
name: security
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
security:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0 # GitLeaks хочет полную историю
|
||||
|
||||
# ── 1. Hadolint: проверка Dockerfile на bad practices ─────────────
|
||||
- name: Hadolint
|
||||
run: |
|
||||
if [ -f Dockerfile ]; then
|
||||
docker run --rm -i hadolint/hadolint hadolint --no-fail - < Dockerfile || true
|
||||
else
|
||||
echo "No Dockerfile — skip Hadolint"
|
||||
fi
|
||||
|
||||
# ── 2. GitLeaks: поиск секретов в истории ─────────────────────────
|
||||
- name: GitLeaks
|
||||
run: |
|
||||
docker run --rm -v "$(pwd)":/repo zricethezav/gitleaks:latest \
|
||||
detect --source /repo --no-banner --verbose --redact --exit-code 0 || true
|
||||
|
||||
# ── 3. Semgrep: SAST на JavaScript/React/Astro ────────────────────
|
||||
- name: Semgrep
|
||||
run: |
|
||||
docker run --rm -v "$(pwd)":/src returntocorp/semgrep:latest \
|
||||
semgrep ci \
|
||||
--config=p/javascript \
|
||||
--config=p/react \
|
||||
--config=p/typescript \
|
||||
--config=p/security-audit \
|
||||
--severity=ERROR --severity=WARNING \
|
||||
--no-suppress-errors \
|
||||
--error=0 || true
|
||||
Reference in New Issue
Block a user