Skip to content

Commit 0d9701d

Browse files
author
hallelx2
committed
chore(standards): created local '.github/workflows/security.reusable.yml' from remote '.github/workflows/security.reusable.yml'
Synced AI-review standards from hallelx2/dev-standards.
1 parent 0ffbdc2 commit 0d9701d

1 file changed

Lines changed: 113 additions & 0 deletions

File tree

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
name: security (reusable)
2+
3+
# Deterministic security scanners, written once and called by every repo via
4+
# `.github/workflows/security.yml`. The AI reviewers (Copilot agents + Jules) sit
5+
# on top of this. This layer catches the textbook vuln classes + real CVEs.
6+
# Layers: secrets, dependency CVEs (multi-ecosystem + Go-specific), SAST against
7+
# OWASP Top 10 / CWE Top 25, and infra/misconfig.
8+
9+
on:
10+
workflow_call: {}
11+
12+
permissions:
13+
contents: read
14+
pull-requests: read
15+
security-events: write
16+
17+
jobs:
18+
secret-scan:
19+
name: Secrets (gitleaks)
20+
runs-on: ubuntu-latest
21+
steps:
22+
- uses: actions/checkout@v4
23+
with:
24+
fetch-depth: 0
25+
- uses: gitleaks/gitleaks-action@v2
26+
env:
27+
GITHUB_TOKEN: ${{ github.token }}
28+
29+
sast-semgrep:
30+
name: SAST — OWASP Top 10 + CWE Top 25 (Semgrep)
31+
runs-on: ubuntu-latest
32+
container:
33+
image: semgrep/semgrep
34+
steps:
35+
- uses: actions/checkout@v4
36+
- name: Semgrep scan (industry rulesets)
37+
run: |
38+
semgrep scan \
39+
--config p/owasp-top-ten \
40+
--config p/cwe-top-25 \
41+
--config p/secrets \
42+
--config p/github-actions \
43+
--sarif --output semgrep.sarif || true
44+
- name: Upload Semgrep SARIF
45+
if: always()
46+
uses: github/codeql-action/upload-sarif@v3
47+
with:
48+
sarif_file: semgrep.sarif
49+
continue-on-error: true
50+
51+
deps-osv:
52+
name: Dependency CVEs (OSV-Scanner)
53+
runs-on: ubuntu-latest
54+
steps:
55+
- uses: actions/checkout@v4
56+
- name: OSV-Scanner
57+
uses: google/osv-scanner-action@v1.9.1
58+
with:
59+
scan-args: "-r --skip-git ./"
60+
continue-on-error: true
61+
62+
go-cves:
63+
name: Go CVEs (govulncheck)
64+
runs-on: ubuntu-latest
65+
steps:
66+
- uses: actions/checkout@v4
67+
- name: Detect Go module
68+
id: detect
69+
run: |
70+
if [ -f go.mod ]; then echo "is_go=true" >> "$GITHUB_OUTPUT"; else echo "is_go=false" >> "$GITHUB_OUTPUT"; fi
71+
- uses: actions/setup-go@v5
72+
if: steps.detect.outputs.is_go == 'true'
73+
with:
74+
go-version: stable
75+
- name: govulncheck (only CVEs that reach real call paths)
76+
if: steps.detect.outputs.is_go == 'true'
77+
run: |
78+
go install golang.org/x/vuln/cmd/govulncheck@latest
79+
govulncheck ./... || true
80+
81+
go-sast:
82+
name: Go SAST (gosec)
83+
runs-on: ubuntu-latest
84+
steps:
85+
- uses: actions/checkout@v4
86+
- name: Detect Go module
87+
id: detect
88+
run: |
89+
if [ -f go.mod ]; then echo "is_go=true" >> "$GITHUB_OUTPUT"; else echo "is_go=false" >> "$GITHUB_OUTPUT"; fi
90+
- name: gosec
91+
if: steps.detect.outputs.is_go == 'true'
92+
uses: securego/gosec@master
93+
with:
94+
args: -no-fail -fmt text ./...
95+
96+
infra-trivy:
97+
name: Vulns + misconfig (Trivy)
98+
runs-on: ubuntu-latest
99+
steps:
100+
- uses: actions/checkout@v4
101+
- name: Trivy filesystem scan
102+
uses: aquasecurity/trivy-action@0.28.0
103+
with:
104+
scan-type: fs
105+
scanners: vuln,secret,misconfig
106+
severity: HIGH,CRITICAL
107+
ignore-unfixed: true
108+
format: table
109+
exit-code: '0' # report-only to start; flip to '1' once the baseline is clean
110+
111+
# Deepest free SAST = CodeQL. It needs per-repo language detection, so enable it
112+
# per PUBLIC repo via Settings → Code security → Code scanning → Default setup (auto).
113+
# Private repos (control-plane, deploy) rely on the Semgrep + OSV + gosec jobs above.

0 commit comments

Comments
 (0)