6acf3ae8a8
Some checks failed
Veza CI / Backend (Go) (push) Failing after 14m40s
Veza CI / Frontend (Web) (push) Failing after 4m27s
Veza CI / Rust (Stream Server) (push) Failing after 6m24s
Security Scan / Secret Scanning (gitleaks) (push) Failing after 2m46s
Stream Server CI / test (push) Failing after 3m9s
Veza CI / Notify on failure (push) Successful in 5s
- Rewrite ci.yml: replace TMT with direct go test/lint/build commands, remove E2E jobs (need docker compose infra, run locally instead) - Replace third-party actions with CLI equivalents: gitleaks-action → gitleaks CLI, trivy-action → trivy CLI, actions-rust-lang/audit → cargo audit, CodeQL → disabled - Disable 18 non-essential workflows (cloud services, DinD, staging): chromatic, cd, container-scan, zap-dast, visual-regression, mutation-testing, performance, load-test, etc. - Keep 8 core workflows: ci, backend-ci, frontend-ci, rust-ci, stream-ci, security-scan, trivy-fs, go-fuzz Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
43 lines
1.1 KiB
Text
43 lines
1.1 KiB
Text
name: Semgrep SAST
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
schedule:
|
|
- cron: "0 3 * * 1" # Weekly on Monday at 3am UTC
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
GIT_SSL_NO_VERIFY: "true"
|
|
NODE_TLS_REJECT_UNAUTHORIZED: "0"
|
|
|
|
jobs:
|
|
semgrep:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
|
|
container:
|
|
image: returntocorp/semgrep
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Run Semgrep
|
|
run: >
|
|
semgrep scan
|
|
--config p/auto
|
|
--config p/owasp-top-ten
|
|
--config p/r2c-security-audit
|
|
--error
|
|
--json
|
|
--output semgrep-results.json
|
|
.
|
|
continue-on-error: true
|
|
|
|
- name: Upload Semgrep results
|
|
if: always()
|
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
|
with:
|
|
name: semgrep-results
|
|
path: semgrep-results.json
|
|
retention-days: 30
|