diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml index 8c15c72..4685283 100644 --- a/.gitea/workflows/security.yml +++ b/.gitea/workflows/security.yml @@ -13,32 +13,44 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 # GitLeaks хочет полную историю + fetch-depth: 0 # GitLeaks нужна полная история - # ── 1. Hadolint: проверка Dockerfile на bad practices ───────────── - - name: Hadolint + # ── 1. Hadolint: проверка Dockerfile ────────────────────────────── + # Установка нативного бинаря (act_runner не имеет docker внутри). + - name: Install Hadolint run: | if [ -f Dockerfile ]; then - docker run --rm -i hadolint/hadolint hadolint --no-fail - < Dockerfile || true + curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint + chmod +x /usr/local/bin/hadolint + fi + + - name: Run Hadolint + run: | + if [ -f Dockerfile ]; then + hadolint --no-fail Dockerfile || true else - echo "No Dockerfile — skip Hadolint" + echo "No Dockerfile — skip" fi # ── 2. GitLeaks: поиск секретов в истории ───────────────────────── - - name: GitLeaks + - name: Install GitLeaks run: | - docker run --rm -v "$(pwd)":/repo zricethezav/gitleaks:latest \ - detect --source /repo --no-banner --verbose --redact --exit-code 0 || true + curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ + | tar -xz -C /usr/local/bin gitleaks + chmod +x /usr/local/bin/gitleaks - # ── 3. Semgrep: SAST на JavaScript/React/Astro ──────────────────── - - name: Semgrep + - name: Run GitLeaks + run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true + + # ── 3. Semgrep: SAST ────────────────────────────────────────────── + - name: Install Semgrep run: | - docker run --rm -v "$(pwd)":/src returntocorp/semgrep:latest \ - semgrep ci \ - --config=p/javascript \ - --config=p/react \ - --config=p/typescript \ - --config=p/security-audit \ - --severity=ERROR --severity=WARNING \ - --no-suppress-errors \ - --error=0 || true + apt-get update -qq + apt-get install -y --no-install-recommends python3-pip python3-venv + python3 -m venv /tmp/sg && /tmp/sg/bin/pip install --quiet semgrep + ln -sf /tmp/sg/bin/semgrep /usr/local/bin/semgrep + + - name: Run Semgrep + run: | + semgrep --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit \ + --severity=ERROR --severity=WARNING --no-error --quiet --metrics=off --timeout=120 . || true