commit 61dd7bf2147f4d9faa3ce238a5e249c134760ee2 Author: JonKazama-Hellion Date: Sat May 9 11:20:11 2026 +0200 Initial reusable security-scan workflow Semgrep SAST + Trivy filesystem scan, runs in parallel. Either job failing fails the calling workflow. Inputs: - severity (Trivy threshold, default CRITICAL,HIGH) - semgrep-config (rule pack, default auto) diff --git a/.gitea/workflows/security-scan.yml b/.gitea/workflows/security-scan.yml new file mode 100644 index 0000000..2df1137 --- /dev/null +++ b/.gitea/workflows/security-scan.yml @@ -0,0 +1,60 @@ +name: Security Scan (reusable) + +# Reusable workflow consumed by per-repo security.yml stubs across the +# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel. +# Either job failing fails the calling workflow. + +on: + workflow_call: + inputs: + severity: + description: 'Trivy severity threshold (e.g. CRITICAL,HIGH or just CRITICAL)' + required: false + type: string + default: 'CRITICAL,HIGH' + semgrep-config: + description: 'Semgrep config (default auto detects rules per language)' + required: false + type: string + default: 'auto' + +jobs: + semgrep: + name: Semgrep SAST + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install Semgrep + run: pip install --no-cache-dir semgrep + + - name: Run Semgrep scan + # --config=auto pulls language-appropriate rule packs from semgrep.dev + # without requiring an account. --error makes the job fail when + # findings at or above the chosen severity exist. + run: semgrep scan --config=${{ inputs.semgrep-config }} --error --severity=ERROR --severity=WARNING + + trivy: + name: Trivy Vulnerability Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run Trivy filesystem scan + # Scans dependency manifests (NuGet, npm, package-lock etc.) against + # the NVD CVE database. ignore-unfixed skips findings that have no + # patched version available so we focus on actionable items. + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + scan-ref: . + severity: ${{ inputs.severity }} + exit-code: '1' + ignore-unfixed: true diff --git a/README.md b/README.md new file mode 100644 index 0000000..f3315a8 --- /dev/null +++ b/README.md @@ -0,0 +1,52 @@ +# security-workflows + +Reusable Gitea Actions workflows for security scanning across Hellion repos. One central definition that all consumer repos call via a tiny stub. + +## Usage + +In any consumer repo, add `.gitea/workflows/security.yml`: + +```yaml +name: Security +on: + push: + branches: [main, master] + pull_request: + schedule: + - cron: '0 6 * * 1' # weekly Monday 06:00 UTC + workflow_dispatch: + +jobs: + scan: + uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main +``` + +That is the entire stub. Five lines of `jobs:` plus the trigger config the consumer actually wants. + +## What runs + +| Tool | What it does | +|---|---| +| **Semgrep** (auto-config) | SAST scanning for common vulnerability patterns across C#, JavaScript, TypeScript, Python, Go and more. Pulls language-appropriate rule packs from semgrep.dev. | +| **Trivy** (filesystem scan) | Dependency vulnerability scanning against the NVD CVE database. Picks up NuGet `*.csproj`, npm `package.json`/`package-lock.json`, Dockerfiles and more. | + +Both jobs run in parallel. Either failing fails the calling workflow. + +## Tuning per consumer + +The reusable workflow accepts two optional inputs: + +```yaml +jobs: + scan: + uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main + with: + severity: 'CRITICAL' # default 'CRITICAL,HIGH' + semgrep-config: 'p/owasp-top-ten' # default 'auto' +``` + +`severity` is the Trivy threshold, `semgrep-config` swaps the rule pack (e.g. `p/owasp-top-ten`, `p/javascript`, `p/csharp`). + +## Pinning + +Consumers reference `@main` for rolling updates. To pin a specific commit, use the SHA: `@`. There are no tagged releases yet, the workflow API is intentionally minimal so breaking changes should be rare.