feat: got it all now I think

.gitea/workflows/security.yml

@@ -20,7 +20,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      # Manually install Trivy (workaround for Gitea Actions not supporting node24)
       - name: Install Trivy
         run: |
           sudo apt-get update
@@ -31,13 +30,12 @@ jobs:
           sudo apt-get update
           sudo apt-get install trivy -y
 
-      # Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks)
       - name: Run Trivy comprehensive security scan
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           scan-ref: '.'
-          scanners: 'vuln,secret,misconfig'
+          scanners: 'vuln,misconfig'
           format: 'table'
           output: 'trivy-results.txt'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
@@ -50,7 +48,6 @@ jobs:
           # Skip setup since we installed Trivy manually
           skip-setup-trivy: true
 
-      # Display results for visibility
       - name: Display Trivy scan results
         if: always()
         run: |
@@ -62,22 +59,19 @@ jobs:
             exit 1
           fi
 
-      # Install Gitleaks for fast secret scanning
       - name: Install Gitleaks
         run: |
-          wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz
+          wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
           tar -xzf /tmp/gitleaks.tar.gz -C /tmp
           sudo mv /tmp/gitleaks /usr/local/bin/
           sudo chmod +x /usr/local/bin/gitleaks
           gitleaks version
 
-      # Secret scanning with Gitleaks
       - name: Run Gitleaks secret scan
         run: |
           gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
           gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt
 
-      # Display Gitleaks results
       - name: Display Gitleaks scan results
         if: always()
         run: |
@@ -101,7 +95,6 @@ jobs:
           pipx install semgrep
           semgrep --version
 
-      # Static code analysis with Semgrep
       - name: Run Semgrep static analysis
         run: |
           export PATH="$HOME/.local/bin:$PATH"
@@ -112,7 +105,6 @@ jobs:
             --output semgrep-results.txt \
             .
 
-      # Display Semgrep results
       - name: Display Semgrep scan results
         if: always()
         run: |
@@ -124,25 +116,21 @@ jobs:
             exit 1
           fi
 
-      # Need Go
       - name: Install Go
         uses: actions/setup-go@v6
         with:
           go-version: 'stable' # Latest stable version
 
-      # Install OSV Scanner
       - name: Install OSV Scanner
         run: |
           export PATH="$HOME/go/bin:$PATH"
           go install github.com/google/osv-scanner/cmd/osv-scanner@latest
 
-      # Run OSV Scanner
       - name: Run OSV Scanner
         run: |
           export PATH="$HOME/go/bin:$PATH"
           osv-scanner -r scan --format table --output osv-results.txt .
 
-      # Display OSV Scanner results
       - name: Display OSV Scanner scan results
         if: always()
         run: |