name: security on: push: branches: [main] pull_request: workflow_dispatch: jobs: security: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 # GitLeaks хочет полную историю # ── 1. Hadolint: проверка Dockerfile на bad practices ───────────── - name: Hadolint run: | if [ -f Dockerfile ]; then docker run --rm -i hadolint/hadolint hadolint --no-fail - < Dockerfile || true else echo "No Dockerfile — skip Hadolint" fi # ── 2. GitLeaks: поиск секретов в истории ───────────────────────── - name: GitLeaks run: | docker run --rm -v "$(pwd)":/repo zricethezav/gitleaks:latest \ detect --source /repo --no-banner --verbose --redact --exit-code 0 || true # ── 3. Semgrep: SAST на JavaScript/React/Astro ──────────────────── - name: Semgrep run: | docker run --rm -v "$(pwd)":/src returntocorp/semgrep:latest \ semgrep ci \ --config=p/javascript \ --config=p/react \ --config=p/typescript \ --config=p/security-audit \ --severity=ERROR --severity=WARNING \ --no-suppress-errors \ --error=0 || true