name: security on: push: branches: [main] pull_request: workflow_dispatch: jobs: security: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 # Hadolint — bad practices в Dockerfile - name: Install Hadolint run: | curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint chmod +x /usr/local/bin/hadolint - name: Run Hadolint run: hadolint --no-fail Dockerfile || true # GitLeaks — поиск секретов в истории - name: Install GitLeaks run: | curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ | tar -xz -C /usr/local/bin gitleaks chmod +x /usr/local/bin/gitleaks - name: Run GitLeaks run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true