3.9 KiB
CI — Security gate (secrets, SCA, SBOM, semgrep, licenses)
Every PR passes through this gate before merge. Every scheduled run re-scans main. Pair with ci-github-actions.md / ci-forgejo-actions.md (the shell) and RULE 0.8 (secrets SSoT) / RULE 0.1 (no-github-push) — the gate enforces both.
Scanner set (one job each, matrix is fine)
| Concern | Tool | Trigger | Fail threshold |
|---|---|---|---|
| Leaked secrets | gitleaks [VERIFIED: https://github.com/gitleaks/gitleaks] | PR + push | any finding |
| Rust SCA | cargo-audit [VERIFIED: https://github.com/rustsec/rustsec] | PR + cron daily | any Vulnerability |
| Node SCA | npm audit / pnpm audit (native) |
PR + cron | high and above |
| Python SCA | pip-audit [VERIFIED: https://github.com/pypa/pip-audit] | PR + cron | any CVE |
| SBOM generation | syft [VERIFIED: https://github.com/anchore/syft] | release only | CycloneDX JSON as artefact |
| SAST / patterns | semgrep [VERIFIED: https://github.com/semgrep/semgrep] | PR | any ERROR severity |
| License policy | cargo-deny [VERIFIED: https://github.com/EmbarkStudios/cargo-deny] (Rust) / license-checker (JS) | PR | disallowed SPDX ID |
gitleaks — secrets scan (always first)
Runs before any build step so that a detected secret aborts the job without ever shipping a binary that used it.
- uses: gitleaks/gitleaks-action@v2 # [VERIFIED: https://github.com/gitleaks/gitleaks-action]
env:
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # orgs only; free for ≤25 users
Custom rules in .gitleaks.toml at repo root — mirror the patterns from ~/.claude/rules/secrets-single-source.md (sk-, ghp_, sk-ant-, Telegram bot, AWS access key, etc.). Any hit FAILS the run. No "informational" severity for secrets.
cargo-audit / pip-audit / npm audit
Daily cron to catch CVEs published after merge. Fail-fast on HIGH/CRITICAL; report MEDIUM to a tracking issue rather than blocking the PR.
- run: cargo audit --deny warnings --deny unmaintained --deny yanked
Pin the advisory-DB commit in vendored copies; upstream can get taken down.
SBOM via syft
Generate CycloneDX JSON for every published artefact. Attach to the GitHub Release (see ci-release-automation.md) and to the container image as an OCI annotation.
- uses: anchore/sbom-action@v0 # [VERIFIED: https://github.com/anchore/sbom-action]
with:
format: cyclonedx-json
artifact-name: sbom.cdx.json
SLSA provenance (slsa-framework/slsa-github-generator) is an optional upgrade; required when shipping to any customer under a supply-chain contract.
semgrep — SAST
p/default + p/secrets + p/owasp-top-ten + any language pack relevant to the repo. Custom rules under .semgrep/*.yaml for project-specific patterns (e.g. "no unwrap() in request handlers").
- uses: semgrep/semgrep-action@v1 # [VERIFIED: https://github.com/semgrep/semgrep-action]
env:
SEMGREP_RULES: p/default p/secrets p/owasp-top-ten
License policy
cargo-deny deny.toml declares allowed SPDX identifiers (MIT, Apache-2.0, BSD-3-Clause, ISC, Unicode-DFS-2016). Anything else FAILS the PR. GPL / AGPL / SSPL in a commercial repo = hard stop. For JS, license-checker --failOn 'GPL;AGPL;SSPL'.
Scheduling
on:
pull_request:
push: { branches: [main] }
schedule:
- cron: "17 3 * * *" # daily 03:17 UTC — off-hour, avoids global burst
Forbidden
- Running the security gate AFTER build/test (secret must block before the secret-using binary exists)
- Allowing "informational" severity on secrets scans (gitleaks = binary; 0 or 1)
- Skipping
cargo-audit/pip-auditon release workflows (a CVE published yesterday ships today without it) - Uploading SBOM to a public artefact store from a RULE-0.1 repo (internal artefact store only)
- Copy-pasting a secret detected by gitleaks into the chat to "discuss" — rotate at provider FIRST, then discuss