Merge pull request 'fix(scan): merge semgrep + trivy into one job (act_runner race)' (#1) from fix/sequential-scan-jobs into main
Reviewed-on: #1
This commit was merged in pull request #1.
This commit is contained in:
@@ -1,8 +1,13 @@
|
||||
name: Security Scan (reusable)
|
||||
|
||||
# Reusable workflow consumed by per-repo security.yml stubs across the
|
||||
# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel.
|
||||
# Either job failing fails the calling workflow.
|
||||
# Hellion stack. Runs Semgrep SAST + Trivy filesystem scan sequentially
|
||||
# inside a single job. Either tool failing fails the calling workflow.
|
||||
#
|
||||
# Why one job, not two parallel jobs:
|
||||
# act_runner v0.6.1 has a race condition when two jobs in the same task
|
||||
# share a workspace and chown it in parallel — one container never gets
|
||||
# /var/run/act/ provisioned and silent-fails. Sequential steps avoid it.
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
@@ -24,8 +29,8 @@ on:
|
||||
default: ''
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
name: Semgrep SAST
|
||||
scan:
|
||||
name: Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
@@ -39,9 +44,16 @@ jobs:
|
||||
- name: Install Semgrep
|
||||
run: pip install --no-cache-dir semgrep
|
||||
|
||||
- name: Run Semgrep scan
|
||||
- name: Install Trivy
|
||||
# Direct install via the official upstream script. The aquasecurity/
|
||||
# trivy-action wrapper does nested checkouts and auth-juggling that
|
||||
# does not play well with Self-Hosted Gitea Actions, this is more
|
||||
# robust and a smaller surface.
|
||||
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
|
||||
|
||||
- name: Run Semgrep SAST
|
||||
# --config=auto pulls language-appropriate rule packs from semgrep.dev
|
||||
# without requiring an account. --error makes the job fail when ERROR
|
||||
# without requiring an account. --error makes the step fail when ERROR
|
||||
# findings exist. WARNING-level rules still run for visibility but do
|
||||
# not fail the build (they would dominate the noise).
|
||||
# Per-repo rule exclusion via the semgrep-exclude-rules input.
|
||||
@@ -57,22 +69,11 @@ jobs:
|
||||
echo "Running: semgrep scan $args"
|
||||
semgrep scan $args
|
||||
|
||||
trivy:
|
||||
name: Trivy Vulnerability Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Trivy
|
||||
# Direct install via the official upstream script. The aquasecurity/
|
||||
# trivy-action wrapper does nested checkouts and auth-juggling that
|
||||
# does not play well with Self-Hosted Gitea Actions, this is more
|
||||
# robust and a smaller surface.
|
||||
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
|
||||
|
||||
- name: Run Trivy filesystem scan
|
||||
# if: always() — surface Trivy findings even when Semgrep fails first,
|
||||
# so a single run gives the full combined picture.
|
||||
# Scans dependency manifests (NuGet, npm, package-lock etc.) against
|
||||
# the NVD CVE database. --ignore-unfixed skips findings that have
|
||||
# no patched version available so we focus on actionable items.
|
||||
if: always()
|
||||
run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .
|
||||
|
||||
Reference in New Issue
Block a user