From a32346fc3d34d62d7a5a4b33edcf14cf50f55cec Mon Sep 17 00:00:00 2001 From: striker Date: Sun, 24 May 2026 17:56:35 +0300 Subject: [PATCH] feat(security): GitHub Actions security.yml (mirror coverage) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Дополнительный security-сканирование на GitHub mirror: hadolint-action, gitleaks-action, semgrep, trivy-action. Запускается на push + PR + weekly cron (Mon 03:00 UTC). Co-Authored-By: Claude Opus 4.7 --- .github/workflows/security.yml | 59 ++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..9163274 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,59 @@ +name: security + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + schedule: + # Каждый понедельник 03:00 UTC — независимый weekly scan + - cron: '0 3 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + hadolint: + runs-on: ubuntu-latest + if: hashFiles('Dockerfile') != '' + steps: + - uses: actions/checkout@v4 + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + failure-threshold: error + continue-on-error: true + + gitleaks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + semgrep: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep:latest + steps: + - uses: actions/checkout@v4 + - run: semgrep ci --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit + continue-on-error: true + + trivy: + runs-on: ubuntu-latest + if: hashFiles('Dockerfile') != '' + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@master + with: + scan-type: fs + scan-ref: . + severity: HIGH,CRITICAL + ignore-unfixed: true + exit-code: '0'