name: Security Scan on: push: branches: [ main ] pull_request: branches: [ main ] schedule: # Run weekly on Mondays at 00:00 UTC - cron: '0 0 * * 1' workflow_dispatch: jobs: trivy-scan: name: Trivy Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # Manually install Trivy (workaround for Gitea Actions not supporting node24) - name: Install Trivy run: | sudo apt-get update sudo apt-get install wget apt-transport-https gnupg lsb-release -y wget -qO /tmp/trivy-key.asc https://aquasecurity.github.io/trivy-repo/deb/public.key sudo apt-key add /tmp/trivy-key.asc echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy -y # Combined scan for vulnerabilities, secrets, and IaC misconfigurations - name: Run Trivy comprehensive security scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' scanners: 'vuln,secret,misconfig' format: 'table' output: 'trivy-results.txt' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' # Fail on any vulnerability found exit-code: '1' # Don't ignore unfixed vulnerabilities ignore-unfixed: false # Skip database update to speed up scans (uses cached DB) skip-db-update: false # Skip setup since we installed Trivy manually skip-setup-trivy: true # Display results for visibility - name: Display Trivy scan results if: always() run: | if [ -f trivy-results.txt ]; then echo "=== Trivy Security Scan Results ===" cat trivy-results.txt fi - name: Install Semgrep run: python3 -m pip install semgrep # Static code analysis with Semgrep - name: Run Semgrep static analysis run: | semgrep --config p/security-audit \ --config p/owasp-top-ten \ --config p/ci \ --config p/security \ . > semgrep-results.txt # Display Semgrep results - name: Display Semgrep scan results if: always() run: | if [ -f semgrep-results.txt ]; then echo "=== Semgrep Static Analysis Results ===" cat semgrep-results.txt fi