All checks were successful
security / security (push) Successful in 8s
- security.yml: Hadolint + GitLeaks (для Next.js sag24 — также Semgrep + npm audit) - origin URL: HTTPS+PAT → SSH (убран plain-text token из git config) - all remote: dual-push в Gitea + GitHub Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
36 lines
1.0 KiB
YAML
36 lines
1.0 KiB
YAML
name: security
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
# Hadolint — bad practices в Dockerfile
|
|
- name: Install Hadolint
|
|
run: |
|
|
curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
|
|
chmod +x /usr/local/bin/hadolint
|
|
|
|
- name: Run Hadolint
|
|
run: hadolint --no-fail Dockerfile || true
|
|
|
|
# GitLeaks — поиск секретов в истории
|
|
- name: Install GitLeaks
|
|
run: |
|
|
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
|
|
| tar -xz -C /usr/local/bin gitleaks
|
|
chmod +x /usr/local/bin/gitleaks
|
|
|
|
- name: Run GitLeaks
|
|
run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true
|