6b0e4de464
- docker-compose-gitea.yml.tpl: Gitea + SQLite container - app.ini.tpl: Gitea config (INSTALL_LOCK, Actions enabled, no registration) - docker-compose-runner.yml.tpl: act_runner Docker container (Linux) - runner-config.yaml.tpl: act_runner config (capacity=1, timeout=3h) - com.gitea.runner.plist.tpl: macOS launchd service for native runner - nginx-gitea.conf.tpl: Nginx reverse proxy with SSL/WebSocket support - workflows/security-scan.yml.tpl: Semgrep + Trivy + Gitleaks workflow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
44 lines
1.1 KiB
Smarty
44 lines
1.1 KiB
Smarty
# Security scanning workflow — rendered from security-scan.yml.tpl
|
|
# Runs Semgrep, Trivy, and Gitleaks on every pull request.
|
|
# Each job reports as a status check for branch protection.
|
|
|
|
name: Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- ${PROTECTED_BRANCH}
|
|
|
|
jobs:
|
|
semgrep:
|
|
name: Semgrep SAST
|
|
runs-on: linux
|
|
container:
|
|
image: returntocorp/semgrep:${SEMGREP_VERSION}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Run Semgrep
|
|
run: semgrep scan --config auto --error .
|
|
|
|
trivy:
|
|
name: Trivy Vulnerability Scan
|
|
runs-on: linux
|
|
container:
|
|
image: aquasec/trivy:${TRIVY_VERSION}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Run Trivy filesystem scan
|
|
run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
|
|
|
|
gitleaks:
|
|
name: Gitleaks Secret Detection
|
|
runs-on: linux
|
|
container:
|
|
image: zricethezav/gitleaks:${GITLEAKS_VERSION}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Run Gitleaks
|
|
run: gitleaks detect --source . --exit-code 1
|