JonKazama-Hellion
c0d2b12b4f
Two changes for noise reduction and per-repo control: 1. New optional input `semgrep-exclude-rules` (comma-separated rule IDs). Lets a consumer skip rules that are context-specific false positives (e.g. SQLi rules in a local-only plugin with SqlParameter- bound values). 2. Semgrep now only fails the build on ERROR-severity findings. WARNING-level rules still run for visibility but do not block. Keeps the noise floor low while still surfacing concerns. Both are opt-in for consumers, default behaviour stays scan-everything.
60 lines
2.4 KiB
Markdown
60 lines
2.4 KiB
Markdown
# security-workflows
|
|
|
|
Reusable Gitea Actions workflows for security scanning across Hellion repos. One central definition that all consumer repos call via a tiny stub.
|
|
|
|
## Usage
|
|
|
|
In any consumer repo, add `.gitea/workflows/security.yml`:
|
|
|
|
```yaml
|
|
name: Security
|
|
on:
|
|
push:
|
|
branches: [main, master]
|
|
pull_request:
|
|
schedule:
|
|
- cron: '0 6 * * 1' # weekly Monday 06:00 UTC
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
scan:
|
|
uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
|
|
```
|
|
|
|
That is the entire stub. Five lines of `jobs:` plus the trigger config the consumer actually wants.
|
|
|
|
## What runs
|
|
|
|
| Tool | What it does |
|
|
|---|---|
|
|
| **Semgrep** (auto-config) | SAST scanning for common vulnerability patterns across C#, JavaScript, TypeScript, Python, Go and more. Pulls language-appropriate rule packs from semgrep.dev. |
|
|
| **Trivy** (filesystem scan) | Dependency vulnerability scanning against the NVD CVE database. Picks up NuGet `*.csproj`, npm `package.json`/`package-lock.json`, Dockerfiles and more. |
|
|
|
|
Both jobs run in parallel. Either failing fails the calling workflow.
|
|
|
|
## Tuning per consumer
|
|
|
|
The reusable workflow accepts three optional inputs:
|
|
|
|
```yaml
|
|
jobs:
|
|
scan:
|
|
uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
|
|
with:
|
|
severity: 'CRITICAL' # default 'CRITICAL,HIGH'
|
|
semgrep-config: 'p/owasp-top-ten' # default 'auto'
|
|
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli,javascript.express.security.audit.express-cookie'
|
|
```
|
|
|
|
| Input | Default | What |
|
|
|---|---|---|
|
|
| `severity` | `CRITICAL,HIGH` | Trivy severity threshold for failing the build |
|
|
| `semgrep-config` | `auto` | Semgrep rule pack (e.g. `p/owasp-top-ten`, `p/javascript`, `p/csharp`) |
|
|
| `semgrep-exclude-rules` | `` (empty) | Comma-separated Semgrep rule IDs to skip in this repo. Useful for context-specific false positives, e.g. SQL-injection rules in a local-only plugin where the SQL strings come from code constants and the values are bound via SqlParameter. |
|
|
|
|
Note that Semgrep is configured to fail the build only on `ERROR`-severity findings. `WARNING`-level rules still run for visibility but do not block, which keeps the noise floor low.
|
|
|
|
## Pinning
|
|
|
|
Consumers reference `@main` for rolling updates. To pin a specific commit, use the SHA: `@<sha>`. There are no tagged releases yet, the workflow API is intentionally minimal so breaking changes should be rare.
|