JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
main
Commit Graph

2 Commits

Author SHA1 Message Date
JonKazama-Hellion c0d2b12b4f Add semgrep-exclude-rules input, drop WARNING-severity-as-failing 
Two changes for noise reduction and per-repo control:

1. New optional input `semgrep-exclude-rules` (comma-separated rule
   IDs). Lets a consumer skip rules that are context-specific false
   positives (e.g. SQLi rules in a local-only plugin with SqlParameter-
   bound values).

2. Semgrep now only fails the build on ERROR-severity findings.
   WARNING-level rules still run for visibility but do not block.
   Keeps the noise floor low while still surfacing concerns.

Both are opt-in for consumers, default behaviour stays scan-everything.
 2026-05-09 11:53:36 +02:00
JonKazama-Hellion 61dd7bf214 Initial reusable security-scan workflow 
Semgrep SAST + Trivy filesystem scan, runs in parallel.
Either job failing fails the calling workflow.

Inputs:
- severity (Trivy threshold, default CRITICAL,HIGH)
- semgrep-config (rule pack, default auto)
 2026-05-09 11:20:11 +02:00