security-scan-test/.gitea/workflows/security-scan.yml

name: Security Scanning

on:
  pull_request:
    branches: [ "main" ]
  workflow_dispatch: {}

env:
  TRIVY_VERSION: "0.69.3"
  GITLEAKS_VERSION: "8.18.4"
  COMPONENT_ID: security-scan-test

jobs:
  # ─────────────────────────────────────────────
  # 1. FILESYSTEM & DEPENDENCY SCAN
  #    Trivy auto-detects lockfiles (pom.xml,
  #    package-lock.json, go.sum, requirements.txt, etc.)
  #    and scans for vulns, secrets, and misconfigs.
  # ─────────────────────────────────────────────
  trivy-scan:
    name: Trivy — Filesystem & Dependency Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout source
        uses: actions/checkout@v4

      - name: Install Trivy
        run: |
          set -e
          mkdir -p $HOME/.local/bin
          curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz" \
            | tar -xz -C $HOME/.local/bin trivy
          chmod +x $HOME/.local/bin/trivy
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Run Trivy filesystem scan
        run: |
          $HOME/.local/bin/trivy fs \
            --exit-code 0 \
            --severity HIGH,CRITICAL \
            --format sarif \
            --output trivy-results.sarif \
            --scanners vuln,secret,misconfig \
            --dependency-tree \
            .

      - name: Upload SARIF report
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: trivy-sarif
          path: trivy-results.sarif
          retention-days: 30

      - name: Print human-readable summary
        run: |
          $HOME/.local/bin/trivy fs \
            --exit-code 0 \
            --severity MEDIUM,HIGH,CRITICAL \
            --format table \
            --scanners vuln,secret,misconfig \
            .

      - name: Enforce quality gate (CRITICAL — report only)
        run: |
          $HOME/.local/bin/trivy fs \
            --exit-code 0 \
            --severity CRITICAL \
            --scanners vuln,misconfig \
            .

  # ─────────────────────────────────────────────
  # 2. SECRET SCAN — detect leaked credentials
  #    across full git history.
  # ─────────────────────────────────────────────
  gitleaks-scan:
    name: Gitleaks — Secret Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout source (full history)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # Install Gitleaks binary directly — the GitHub Action
      # relies on GITHUB_TOKEN which is unavailable on Gitea Act runners.
      - name: Install Gitleaks
        run: |
          set -e
          mkdir -p $HOME/.local/bin
          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz" \
            | tar -xz -C $HOME/.local/bin gitleaks
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Run Gitleaks
        run: |
          $HOME/.local/bin/gitleaks detect \
            --source . \
            --report-format sarif \
            --report-path gitleaks-results.sarif \
            --exit-code 1 \
            --log-level warn

      - name: Upload SARIF report
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: gitleaks-sarif
          path: gitleaks-results.sarif
          retention-days: 30

  # ─────────────────────────────────────────────
  # 3. SUMMARY — aggregate all SARIF reports
  # ─────────────────────────────────────────────
  security-summary:
    name: Security Summary
    needs:
      - trivy-scan
      - gitleaks-scan
    runs-on: ubuntu-latest
    if: always()

    steps:
      - name: Download Trivy SARIF
        uses: actions/download-artifact@v3
        with:
          name: trivy-sarif
          path: sarif-reports/
        continue-on-error: true

      - name: Download Gitleaks SARIF
        uses: actions/download-artifact@v3
        with:
          name: gitleaks-sarif
          path: sarif-reports/
        continue-on-error: true

      - name: List collected reports
        run: ls -lh sarif-reports/ || echo "No reports found"

      - name: Generate summary
        run: |
          echo "## Security Scan Results — ${{ env.COMPONENT_ID }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Report | Size |" >> $GITHUB_STEP_SUMMARY
          echo "|--------|------|" >> $GITHUB_STEP_SUMMARY
          for f in sarif-reports/*.sarif; do
            [ -e "$f" ] || continue
            name=$(basename "$f")
            size=$(du -sh "$f" | cut -f1)
            echo "| $name | $size |" >> $GITHUB_STEP_SUMMARY
          done
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY
          echo "Branch: \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY

      - name: Bundle all SARIF reports
        uses: actions/upload-artifact@v3
        with:
          name: all-sarif-reports
          path: sarif-reports/
          retention-days: 90