name: Security Scan (reusable) # Reusable workflow consumed by per-repo security.yml stubs across the # Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel. # Either job failing fails the calling workflow. on: workflow_call: inputs: severity: description: 'Trivy severity threshold (e.g. CRITICAL,HIGH or just CRITICAL)' required: false type: string default: 'CRITICAL,HIGH' semgrep-config: description: 'Semgrep config (default auto detects rules per language)' required: false type: string default: 'auto' jobs: semgrep: name: Semgrep SAST runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.x' - name: Install Semgrep run: pip install --no-cache-dir semgrep - name: Run Semgrep scan # --config=auto pulls language-appropriate rule packs from semgrep.dev # without requiring an account. --error makes the job fail when # findings at or above the chosen severity exist. run: semgrep scan --config=${{ inputs.semgrep-config }} --error --severity=ERROR --severity=WARNING trivy: name: Trivy Vulnerability Scan runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Trivy # Direct install via the official upstream script. The aquasecurity/ # trivy-action wrapper does nested checkouts and auth-juggling that # does not play well with Self-Hosted Gitea Actions, this is more # robust and a smaller surface. run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin - name: Run Trivy filesystem scan # Scans dependency manifests (NuGet, npm, package-lock etc.) against # the NVD CVE database. --ignore-unfixed skips findings that have # no patched version available so we focus on actionable items. run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .