JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c9a8000a84ea94c8a5846c9f7fae819177e3668c
security-workflows/.gitea/workflows/security-scan.yml
T
JonKazama-Hellion c9a8000a84 Replace aquasecurity/trivy-action with direct install 
The Trivy GitHub Action wrapper does nested checkouts and auth-juggling
that breaks on Self-Hosted Gitea Actions: 'Failure - Main Checkout
install script' on the first HellionChat run. Switching to the
upstream install.sh + plain `trivy fs` invocation has a smaller
surface and removes the action-internal git clone dance entirely.
2026-05-09 11:49:14 +02:00

62 lines
2.2 KiB
YAML
Raw Blame History

name: Security Scan (reusable)
# Reusable workflow consumed by per-repo security.yml stubs across the
# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel.
# Either job failing fails the calling workflow.
on:
workflow_call:
inputs:
severity:
description: 'Trivy severity threshold (e.g. CRITICAL,HIGH or just CRITICAL)'
required: false
type: string
default: 'CRITICAL,HIGH'
semgrep-config:
description: 'Semgrep config (default auto detects rules per language)'
required: false
type: string
default: 'auto'
jobs:
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install Semgrep
run: pip install --no-cache-dir semgrep
- name: Run Semgrep scan
# --config=auto pulls language-appropriate rule packs from semgrep.dev
# without requiring an account. --error makes the job fail when
# findings at or above the chosen severity exist.
run: semgrep scan --config=${{ inputs.semgrep-config }} --error --severity=ERROR --severity=WARNING
trivy:
name: Trivy Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Trivy
# Direct install via the official upstream script. The aquasecurity/
# trivy-action wrapper does nested checkouts and auth-juggling that
# does not play well with Self-Hosted Gitea Actions, this is more
# robust and a smaller surface.
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Run Trivy filesystem scan
# Scans dependency manifests (NuGet, npm, package-lock etc.) against
# the NVD CVE database. --ignore-unfixed skips findings that have
# no patched version available so we focus on actionable items.
run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .
Reference in New Issue View Git Blame Copy Permalink