JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
6 Commits 1 Branch 0 Tags
27a469b1699d2b8aa6d3e2ca113872a3f2bf0602
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
renovate-bot 27a469b169 fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit 
The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.

Version pinned with renovate annotation so updates flow through Renovate.
2026-05-12 00:12:13 +00:00
.gitea/workflows
fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit
2026-05-12 00:12:13 +00:00
README.md
Add semgrep-exclude-rules input, drop WARNING-severity-as-failing
2026-05-09 11:53:36 +02:00

README.md

security-workflows

Reusable Gitea Actions workflows for security scanning across Hellion repos. One central definition that all consumer repos call via a tiny stub.

Usage

In any consumer repo, add .gitea/workflows/security.yml:

name: Security
on:
  push:
    branches: [main, master]
  pull_request:
  schedule:
    - cron: '0 6 * * 1'   # weekly Monday 06:00 UTC
  workflow_dispatch:

jobs:
  scan:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main

That is the entire stub. Five lines of jobs: plus the trigger config the consumer actually wants.

What runs

Tool What it does
Semgrep (auto-config) SAST scanning for common vulnerability patterns across C#, JavaScript, TypeScript, Python, Go and more. Pulls language-appropriate rule packs from semgrep.dev.
Trivy (filesystem scan) Dependency vulnerability scanning against the NVD CVE database. Picks up NuGet *.csproj, npm package.json/package-lock.json, Dockerfiles and more.

Both jobs run in parallel. Either failing fails the calling workflow.

Tuning per consumer

The reusable workflow accepts three optional inputs:

jobs:
  scan:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
    with:
      severity: 'CRITICAL'                # default 'CRITICAL,HIGH'
      semgrep-config: 'p/owasp-top-ten'   # default 'auto'
      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli,javascript.express.security.audit.express-cookie'
Input Default What
severity CRITICAL,HIGH Trivy severity threshold for failing the build
semgrep-config auto Semgrep rule pack (e.g. p/owasp-top-ten, p/javascript, p/csharp)
semgrep-exclude-rules `` (empty) Comma-separated Semgrep rule IDs to skip in this repo. Useful for context-specific false positives, e.g. SQL-injection rules in a local-only plugin where the SQL strings come from code constants and the values are bound via SqlParameter.

Note that Semgrep is configured to fail the build only on ERROR-severity findings. WARNING-level rules still run for visibility but do not block, which keeps the noise floor low.

Pinning

Consumers reference @main for rolling updates. To pin a specific commit, use the SHA: @<sha>. There are no tagged releases yet, the workflow API is intentionally minimal so breaking changes should be rare.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Reusable security scan workflows
Readme 46 KiB