Files
sag24-website/.gitea/workflows/security.yml
striker 01089d1b1a
All checks were successful
security / security (push) Successful in 3m6s
feat(security): security.yml + GitHub mirror + SSH origin
- security.yml: Hadolint + GitLeaks (для Next.js sag24 — также Semgrep + npm audit)

- origin URL: HTTPS+PAT → SSH (убран plain-text token из git config)

- all remote: dual-push в Gitea + GitHub

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 23:37:41 +03:00

73 lines
2.9 KiB
YAML

name: security
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # GitLeaks нужна полная история
# ── 1. Hadolint: проверка Dockerfile ──────────────────────────────
# Установка нативного бинаря (act_runner не имеет docker внутри).
- name: Install Hadolint
run: |
if [ -f Dockerfile ]; then
curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
chmod +x /usr/local/bin/hadolint
fi
- name: Run Hadolint
run: |
if [ -f Dockerfile ]; then
hadolint --no-fail Dockerfile || true
else
echo "No Dockerfile — skip"
fi
# ── 2. GitLeaks: поиск секретов в истории ─────────────────────────
- name: Install GitLeaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar -xz -C /usr/local/bin gitleaks
chmod +x /usr/local/bin/gitleaks
- name: Run GitLeaks
run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true
# ── 3. Semgrep: SAST ──────────────────────────────────────────────
- name: Install Semgrep
run: |
apt-get update -qq
apt-get install -y --no-install-recommends python3-pip python3-venv
python3 -m venv /tmp/sg && /tmp/sg/bin/pip install --quiet semgrep
ln -sf /tmp/sg/bin/semgrep /usr/local/bin/semgrep
- name: Run Semgrep
run: |
semgrep --config=p/javascript --config=p/react --config=p/typescript --config=p/security-audit \
--severity=ERROR --severity=WARNING --no-error --quiet --metrics=off --timeout=120 . || true
# ── 4. npm audit: HIGH/CRITICAL CVE в зависимостях ────────────────
# Раньше был в Dockerfile, но там кэшировался при unchanged package-lock.json.
# Вынесен сюда — реально запускается каждый push.
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
- name: npm audit
run: |
if [ -f package-lock.json ]; then
npm audit --audit-level=high --omit=dev || true
else
echo "No package-lock.json — skip npm audit"
fi