name: Security Scan on: push: branches: [ main, master, develop ] pull_request: branches: [ main, master, develop ] schedule: # Run weekly on Mondays at 00:00 UTC - cron: '0 0 * * 1' workflow_dispatch: jobs: trivy-scan: name: Trivy Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # Manually install Trivy (workaround for Gitea Actions not supporting node24) - name: Install Trivy run: | sudo apt-get update sudo apt-get install wget apt-transport-https gnupg lsb-release -y wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy -y # Combined scan for vulnerabilities, secrets, and IaC misconfigurations - name: Run Trivy comprehensive security scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' scanners: 'vuln,secret,config' format: 'table' output: 'trivy-results.txt' severity: 'CRITICAL,HIGH,MEDIUM,LOW' # Fail on any vulnerability found exit-code: '1' # Don't ignore unfixed vulnerabilities ignore-unfixed: false # Skip database update to speed up scans (uses cached DB) skip-db-update: false # Skip setup since we installed Trivy manually skip-setup-trivy: true # Display results for visibility - name: Display Trivy scan results if: always() run: | if [ -f trivy-results.txt ]; then echo "=== Trivy Security Scan Results ===" cat trivy-results.txt fi # Static code analysis with Semgrep - name: Run Semgrep static analysis uses: returntocorp/semgrep-action@v1 with: config: >- p/security-audit p/owasp-top-ten p/ci p/security generateSarif: '1' outputFormat: 'text' outputFile: 'semgrep-results.txt' # Fail on any finding error: 'true' # Display Semgrep results - name: Display Semgrep scan results if: always() run: | if [ -f semgrep-results.txt ]; then echo "=== Semgrep Static Analysis Results ===" cat semgrep-results.txt fi