Files
pushkinohistory-ru-v2/.github/workflows/security.yml
striker a32346fc3d
All checks were successful
deploy / deploy (push) Successful in 48s
security / security (push) Successful in 3m6s
feat(security): GitHub Actions security.yml (mirror coverage)
Дополнительный security-сканирование на GitHub mirror: hadolint-action, gitleaks-action, semgrep, trivy-action. Запускается на push + PR + weekly cron (Mon 03:00 UTC).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 17:56:35 +03:00

60 lines
1.4 KiB
YAML

name: security
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
schedule:
# Каждый понедельник 03:00 UTC — независимый weekly scan
- cron: '0 3 * * 1'
permissions:
contents: read
security-events: write
jobs:
hadolint:
runs-on: ubuntu-latest
if: hashFiles('Dockerfile') != ''
steps:
- uses: actions/checkout@v4
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
failure-threshold: error
continue-on-error: true
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
semgrep:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep:latest
steps:
- uses: actions/checkout@v4
- run: semgrep ci --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit
continue-on-error: true
trivy:
runs-on: ubuntu-latest
if: hashFiles('Dockerfile') != ''
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: '0'