naomi/actions-sandbox
1
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ac82f46ed2ece865aadbf7b26452643599e2864
actions-sandbox/.gitea/workflows/security.yml
T
naomi 4ac82f46ed
Security Scan / Trivy Security Scan (push) Has been cancelled
Details
feat: install semgrep
2025-12-11 12:16:02 -08:00

81 lines
2.5 KiB
YAML
Raw Blame History

name: Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
# Run weekly on Mondays at 00:00 UTC
- cron: '0 0 * * 1'
workflow_dispatch:
jobs:
trivy-scan:
name: Trivy Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
# Manually install Trivy (workaround for Gitea Actions not supporting node24)
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO /tmp/trivy-key.asc https://aquasecurity.github.io/trivy-repo/deb/public.key
sudo apt-key add /tmp/trivy-key.asc
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y
# Combined scan for vulnerabilities, secrets, and IaC misconfigurations
- name: Run Trivy comprehensive security scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,misconfig'
format: 'table'
output: 'trivy-results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
# Fail on any vulnerability found
exit-code: '1'
# Don't ignore unfixed vulnerabilities
ignore-unfixed: false
# Skip database update to speed up scans (uses cached DB)
skip-db-update: false
# Skip setup since we installed Trivy manually
skip-setup-trivy: true
# Display results for visibility
- name: Display Trivy scan results
if: always()
run: |
if [ -f trivy-results.txt ]; then
echo "=== Trivy Security Scan Results ==="
cat trivy-results.txt
fi
- name: Install Semgrep
run: python3 -m pip install semgrep
# Static code analysis with Semgrep
- name: Run Semgrep static analysis
run: |
semgrep --config p/security-audit \
--config p/owasp-top-ten \
--config p/ci \
--config p/security \
. > semgrep-results.txt
# Display Semgrep results
- name: Display Semgrep scan results
if: always()
run: |
if [ -f semgrep-results.txt ]; then
echo "=== Semgrep Static Analysis Results ==="
cat semgrep-results.txt
fi
Reference in New Issue View Git Blame Copy Permalink