JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial reusable security-scan workflow

Browse Source 
Semgrep SAST + Trivy filesystem scan, runs in parallel.
Either job failing fails the calling workflow.

Inputs:
- severity (Trivy threshold, default CRITICAL,HIGH)
- semgrep-config (rule pack, default auto)
This commit is contained in:
Jon Kazama
2026-05-09 11:20:11 +02:00
commit 61dd7bf214
2 changed files with 112 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security-scan.yml
+60
View File
@@ -0,0 +1,60 @@
name: Security Scan (reusable)
# Reusable workflow consumed by per-repo security.yml stubs across the
# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel.
# Either job failing fails the calling workflow.
on:
workflow_call:
inputs:
severity:
description: 'Trivy severity threshold (e.g. CRITICAL,HIGH or just CRITICAL)'
required: false
type: string
default: 'CRITICAL,HIGH'
semgrep-config:
description: 'Semgrep config (default auto detects rules per language)'
required: false
type: string
default: 'auto'
jobs:
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install Semgrep
run: pip install --no-cache-dir semgrep
- name: Run Semgrep scan
# --config=auto pulls language-appropriate rule packs from semgrep.dev
# without requiring an account. --error makes the job fail when
# findings at or above the chosen severity exist.
run: semgrep scan --config=${{ inputs.semgrep-config }} --error --severity=ERROR --severity=WARNING
trivy:
name: Trivy Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Trivy filesystem scan
# Scans dependency manifests (NuGet, npm, package-lock etc.) against
# the NVD CVE database. ignore-unfixed skips findings that have no
# patched version available so we focus on actionable items.
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
severity: ${{ inputs.severity }}
exit-code: '1'
ignore-unfixed: true
README.md
+52
View File
@@ -0,0 +1,52 @@
# security-workflows
Reusable Gitea Actions workflows for security scanning across Hellion repos. One central definition that all consumer repos call via a tiny stub.
## Usage
In any consumer repo, add `.gitea/workflows/security.yml`:
```yaml
name: Security
on:
push:
branches: [main, master]
pull_request:
schedule:
- cron: '0 6 * * 1' # weekly Monday 06:00 UTC
workflow_dispatch:
jobs:
scan:
uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
```
That is the entire stub. Five lines of `jobs:` plus the trigger config the consumer actually wants.
## What runs
| Tool | What it does |
|---|---|
| **Semgrep** (auto-config) | SAST scanning for common vulnerability patterns across C#, JavaScript, TypeScript, Python, Go and more. Pulls language-appropriate rule packs from semgrep.dev. |
| **Trivy** (filesystem scan) | Dependency vulnerability scanning against the NVD CVE database. Picks up NuGet `*.csproj`, npm `package.json`/`package-lock.json`, Dockerfiles and more. |
Both jobs run in parallel. Either failing fails the calling workflow.
## Tuning per consumer
The reusable workflow accepts two optional inputs:
```yaml
jobs:
scan:
uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
with:
severity: 'CRITICAL' # default 'CRITICAL,HIGH'
semgrep-config: 'p/owasp-top-ten' # default 'auto'
```
`severity` is the Trivy threshold, `semgrep-config` swaps the rule pack (e.g. `p/owasp-top-ten`, `p/javascript`, `p/csharp`).
## Pinning
Consumers reference `@main` for rolling updates. To pin a specific commit, use the SHA: `@<sha>`. There are no tagged releases yet, the workflow API is intentionally minimal so breaking changes should be rare.