security-workflows/.gitea/workflows/security-scan.yml

name: Security Scan (reusable)

# Reusable workflow consumed by per-repo security.yml stubs across the
# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel.
# Either job failing fails the calling workflow.

on:
  workflow_call:
    inputs:
      severity:
        description: 'Trivy severity threshold (e.g. CRITICAL,HIGH or just CRITICAL)'
        required: false
        type: string
        default: 'CRITICAL,HIGH'
      semgrep-config:
        description: 'Semgrep config (default auto detects rules per language)'
        required: false
        type: string
        default: 'auto'

jobs:
  semgrep:
    name: Semgrep SAST
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'

      - name: Install Semgrep
        run: pip install --no-cache-dir semgrep

      - name: Run Semgrep scan
        # --config=auto pulls language-appropriate rule packs from semgrep.dev
        # without requiring an account. --error makes the job fail when
        # findings at or above the chosen severity exist.
        run: semgrep scan --config=${{ inputs.semgrep-config }} --error --severity=ERROR --severity=WARNING

  trivy:
    name: Trivy Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Trivy filesystem scan
        # Scans dependency manifests (NuGet, npm, package-lock etc.) against
        # the NVD CVE database. ignore-unfixed skips findings that have no
        # patched version available so we focus on actionable items.
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          severity: ${{ inputs.severity }}
          exit-code: '1'
          ignore-unfixed: true