From d6d4ddb15b919dc9e108dafabb66562ddf3bc410 Mon Sep 17 00:00:00 2001 From: Snider Date: Sat, 31 Jan 2026 21:35:16 +0000 Subject: [PATCH] ci: add security scanning workflow templates Templates for repos to enable language-specific security scanning: - security-php.yml: PHPStan + Semgrep SAST - security-shell.yml: ShellCheck for bash scripts - security-docker.yml: Hadolint for Dockerfiles CodeQL default setup now enabled across all public repos for: - Go, JavaScript/TypeScript (core, core-gui, build) - JavaScript/TypeScript (core-admin, core-api, core-mcp, etc.) - Actions workflow scanning (core-php, core-tenant, etc.) - Python (ansible-*, docker-server-blockchain) - C# (btcpayserver-docker) Co-Authored-By: Claude Opus 4.5 --- .../workflow-templates/security-docker.yml | 23 +++++++++ .github/workflow-templates/security-php.yml | 50 +++++++++++++++++++ .github/workflow-templates/security-shell.yml | 24 +++++++++ 3 files changed, 97 insertions(+) create mode 100644 .github/workflow-templates/security-docker.yml create mode 100644 .github/workflow-templates/security-php.yml create mode 100644 .github/workflow-templates/security-shell.yml diff --git a/.github/workflow-templates/security-docker.yml b/.github/workflow-templates/security-docker.yml new file mode 100644 index 0000000..994555e --- /dev/null +++ b/.github/workflow-templates/security-docker.yml @@ -0,0 +1,23 @@ +name: Dockerfile Lint + +on: + push: + branches: [dev, main] + paths: ['**/Dockerfile*', '**.dockerfile'] + pull_request: + branches: [dev, main] + paths: ['**/Dockerfile*', '**.dockerfile'] + workflow_dispatch: + +jobs: + hadolint: + name: Hadolint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + recursive: true + failure-threshold: warning diff --git a/.github/workflow-templates/security-php.yml b/.github/workflow-templates/security-php.yml new file mode 100644 index 0000000..28997c8 --- /dev/null +++ b/.github/workflow-templates/security-php.yml @@ -0,0 +1,50 @@ +name: PHP Security + +on: + push: + branches: [dev, main] + pull_request: + branches: [dev, main] + schedule: + - cron: '0 6 * * 1' + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + phpstan: + name: PHPStan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: '8.3' + coverage: none + + - name: Install dependencies + run: composer install --no-interaction --prefer-dist + + - name: Run PHPStan + run: vendor/bin/phpstan analyse --error-format=github || true + + semgrep: + name: Semgrep SAST + runs-on: ubuntu-latest + container: + image: semgrep/semgrep + steps: + - uses: actions/checkout@v4 + + - name: Run Semgrep + run: semgrep scan --config auto --sarif --output results.sarif || true + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + if: always() diff --git a/.github/workflow-templates/security-shell.yml b/.github/workflow-templates/security-shell.yml new file mode 100644 index 0000000..9cdd5f3 --- /dev/null +++ b/.github/workflow-templates/security-shell.yml @@ -0,0 +1,24 @@ +name: Shell Lint + +on: + push: + branches: [dev, main] + paths: ['**.sh', '**.bash', 'scripts/**'] + pull_request: + branches: [dev, main] + paths: ['**.sh', '**.bash', 'scripts/**'] + workflow_dispatch: + +jobs: + shellcheck: + name: ShellCheck + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run ShellCheck + uses: ludeeus/action-shellcheck@master + with: + severity: warning + scandir: '.' + format: gcc