Initial reusable security-scan workflow

Semgrep SAST + Trivy filesystem scan, runs in parallel. Either job failing fails the calling workflow. Inputs: - severity (Trivy threshold, default CRITICAL,HIGH) - semgrep-config (rule pack, default auto)
2026-05-09 11:20:11 +02:00
commit 61dd7bf214
2 changed files with 112 additions and 0 deletions
@@ -0,0 +1,60 @@
+name: Security Scan (reusable)
+
+# Reusable workflow consumed by per-repo security.yml stubs across the
+# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel.
+# Either job failing fails the calling workflow.
+
+on:
+  workflow_call:
+    inputs:
+      severity:
+        description: 'Trivy severity threshold (e.g. CRITICAL,HIGH or just CRITICAL)'
+        required: false
+        type: string
+        default: 'CRITICAL,HIGH'
+      semgrep-config:
+        description: 'Semgrep config (default auto detects rules per language)'
+        required: false
+        type: string
+        default: 'auto'
+
+jobs:
+  semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install Semgrep
+        run: pip install --no-cache-dir semgrep
+
+      - name: Run Semgrep scan
+        # --config=auto pulls language-appropriate rule packs from semgrep.dev
+        # without requiring an account. --error makes the job fail when
+        # findings at or above the chosen severity exist.
+        run: semgrep scan --config=${{ inputs.semgrep-config }} --error --severity=ERROR --severity=WARNING
+
+  trivy:
+    name: Trivy Vulnerability Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Trivy filesystem scan
+        # Scans dependency manifests (NuGet, npm, package-lock etc.) against
+        # the NVD CVE database. ignore-unfixed skips findings that have no
+        # patched version available so we focus on actionable items.
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          scan-ref: .
+          severity: ${{ inputs.severity }}
+          exit-code: '1'
+          ignore-unfixed: true