feat: automated upload of .gitea/workflows/security.yml

2025-12-11 20:11:58 +01:00
parent c66409fe86
commit 5e933826c3
1 changed files with 71 additions and 0 deletions
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -0,0 +1,71 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ main, master, develop ]
+  pull_request:
+    branches: [ main, master, develop ]
+  schedule:
+    # Run weekly on Mondays at 00:00 UTC
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  trivy-scan:
+    name: Trivy Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Combined scan for vulnerabilities, secrets, and IaC misconfigurations
+      - name: Run Trivy comprehensive security scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret,config'
+          format: 'table'
+          output: 'trivy-results.txt'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          # Fail on any vulnerability found
+          exit-code: '1'
+          # Don't ignore unfixed vulnerabilities
+          ignore-unfixed: false
+          # Skip database update to speed up scans (uses cached DB)
+          skip-db-update: false
+
+      # Display results for visibility
+      - name: Display Trivy scan results
+        if: always()
+        run: |
+          if [ -f trivy-results.txt ]; then
+            echo "=== Trivy Security Scan Results ==="
+            cat trivy-results.txt
+          fi
+
+      # Static code analysis with Semgrep
+      - name: Run Semgrep static analysis
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/owasp-top-ten
+            p/ci
+            p/security
+          generateSarif: '1'
+          outputFormat: 'text'
+          outputFile: 'semgrep-results.txt'
+          # Fail on any finding
+          error: 'true'
+
+      # Display Semgrep results
+      - name: Display Semgrep scan results
+        if: always()
+        run: |
+          if [ -f semgrep-results.txt ]; then
+            echo "=== Semgrep Static Analysis Results ==="
+            cat semgrep-results.txt
+          fi
+