name: security on: push: branches: [main] pull_request: workflow_dispatch: schedule: # Каждый понедельник 03:00 UTC — независимый weekly scan - cron: '0 3 * * 1' permissions: contents: read security-events: write jobs: hadolint: runs-on: ubuntu-latest if: hashFiles('Dockerfile') != '' steps: - uses: actions/checkout@v4 - uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: Dockerfile failure-threshold: error continue-on-error: true gitleaks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: gitleaks/gitleaks-action@v2 continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} semgrep: runs-on: ubuntu-latest container: image: returntocorp/semgrep:latest steps: - uses: actions/checkout@v4 - run: semgrep ci --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit continue-on-error: true trivy: runs-on: ubuntu-latest if: hashFiles('Dockerfile') != '' steps: - uses: actions/checkout@v4 - uses: aquasecurity/trivy-action@master with: scan-type: fs scan-ref: . severity: HIGH,CRITICAL ignore-unfixed: true exit-code: '0'