cli/.forgejo/workflows/security-scan.yml

# Sovereign security scanning — no cloud dependencies
# Replaces: GitHub Dependabot, CodeQL, Advanced Security
# PCI DSS: Req 6.3.2 (code review), Req 11.3 (vulnerability scanning)

name: Security Scan

on:
  push:
    branches: [main, dev, 'feat/*']
  pull_request:
    branches: [main]

jobs:
  govulncheck:
    name: Go Vulnerability Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.25'
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Run govulncheck
        run: govulncheck ./...

  gitleaks:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install gitleaks
        run: |
          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r '.tag_name' | tr -d 'v')
          curl -sL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xz -C /usr/local/bin gitleaks
      - name: Scan for secrets
        run: gitleaks detect --source . --no-banner

  trivy:
    name: Dependency & Config Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
      - name: Filesystem scan
        run: trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL --exit-code 1 .
feat: add Woodpecker CI pipeline and workspace improvements (#1) Co-authored-by: Claude <developers@lethean.io> Co-committed-by: Claude <developers@lethean.io> 2026-02-08 13:25:06 +00:00			`# Sovereign security scanning — no cloud dependencies`
			`# Replaces: GitHub Dependabot, CodeQL, Advanced Security`
			`# PCI DSS: Req 6.3.2 (code review), Req 11.3 (vulnerability scanning)`

			`name: Security Scan`

			`on:`
			`push:`
			`branches: [main, dev, 'feat/*']`
			`pull_request:`
			`branches: [main]`

			`jobs:`
			`govulncheck:`
			`name: Go Vulnerability Check`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@v4`
			`- uses: actions/setup-go@v5`
			`with:`
			`go-version: '1.25'`
			`- name: Install govulncheck`
			`run: go install golang.org/x/vuln/cmd/govulncheck@latest`
			`- name: Run govulncheck`
			`run: govulncheck ./...`

			`gitleaks:`
			`name: Secret Detection`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@v4`
			`with:`
			`fetch-depth: 0`
			`- name: Install gitleaks`
			`run: \|`
			`GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \| jq -r '.tag_name' \| tr -d 'v')`
			`curl -sL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \| tar xz -C /usr/local/bin gitleaks`
			`- name: Scan for secrets`
			`run: gitleaks detect --source . --no-banner`

			`trivy:`
			`name: Dependency & Config Scan`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@v4`
			`- name: Install Trivy`
			`run: \|`
			`curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \| sh -s -- -b /usr/local/bin`
			`- name: Filesystem scan`
			`run: trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL --exit-code 1 .`