security-workflows

JonKazama-Hellion/security-workflows

Fork 0

Commit Graph

Author	SHA1	Message	Date
JonKazama-Hellion	c0d2b12b4f	Add semgrep-exclude-rules input, drop WARNING-severity-as-failing Two changes for noise reduction and per-repo control: 1. New optional input `semgrep-exclude-rules` (comma-separated rule IDs). Lets a consumer skip rules that are context-specific false positives (e.g. SQLi rules in a local-only plugin with SqlParameter- bound values). 2. Semgrep now only fails the build on ERROR-severity findings. WARNING-level rules still run for visibility but do not block. Keeps the noise floor low while still surfacing concerns. Both are opt-in for consumers, default behaviour stays scan-everything.	2026-05-09 11:53:36 +02:00
JonKazama-Hellion	c9a8000a84	Replace aquasecurity/trivy-action with direct install The Trivy GitHub Action wrapper does nested checkouts and auth-juggling that breaks on Self-Hosted Gitea Actions: 'Failure - Main Checkout install script' on the first HellionChat run. Switching to the upstream install.sh + plain `trivy fs` invocation has a smaller surface and removes the action-internal git clone dance entirely.	2026-05-09 11:49:14 +02:00
JonKazama-Hellion	61dd7bf214	Initial reusable security-scan workflow Semgrep SAST + Trivy filesystem scan, runs in parallel. Either job failing fails the calling workflow. Inputs: - severity (Trivy threshold, default CRITICAL,HIGH) - semgrep-config (rule pack, default auto)	2026-05-09 11:20:11 +02:00

Author

SHA1

Message

Date

JonKazama-Hellion

c0d2b12b4f

Add semgrep-exclude-rules input, drop WARNING-severity-as-failing

Two changes for noise reduction and per-repo control:

1. New optional input `semgrep-exclude-rules` (comma-separated rule
   IDs). Lets a consumer skip rules that are context-specific false
   positives (e.g. SQLi rules in a local-only plugin with SqlParameter-
   bound values).

2. Semgrep now only fails the build on ERROR-severity findings.
   WARNING-level rules still run for visibility but do not block.
   Keeps the noise floor low while still surfacing concerns.

Both are opt-in for consumers, default behaviour stays scan-everything.

2026-05-09 11:53:36 +02:00

JonKazama-Hellion

c9a8000a84

Replace aquasecurity/trivy-action with direct install

The Trivy GitHub Action wrapper does nested checkouts and auth-juggling
that breaks on Self-Hosted Gitea Actions: 'Failure - Main Checkout
install script' on the first HellionChat run. Switching to the
upstream install.sh + plain `trivy fs` invocation has a smaller
surface and removes the action-internal git clone dance entirely.

2026-05-09 11:49:14 +02:00

JonKazama-Hellion

61dd7bf214

Initial reusable security-scan workflow

Semgrep SAST + Trivy filesystem scan, runs in parallel.
Either job failing fails the calling workflow.

Inputs:
- severity (Trivy threshold, default CRITICAL,HIGH)
- semgrep-config (rule pack, default auto)

2026-05-09 11:20:11 +02:00

3 Commits