diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 280fd5a..3a79109 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,8 @@ jobs: timeout-minutes: 5 permissions: contents: read + # gitleaks-action v3 lists PR commits via the API on pull_request events. + pull-requests: read steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 78640c4..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,44 +0,0 @@ -# .github/workflows/codeql.yml -# CodeQL — dataflow / taint analysis. Free for public repos. -# Complementary to Semgrep (pattern-based). Together: comprehensive SAST coverage. -name: CodeQL - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - - cron: "0 9 * * 1" # Mondays 09:00 UTC - -concurrency: - group: codeql-${{ github.ref }} - cancel-in-progress: true - -jobs: - analyze: - name: Analyze (javascript-typescript) - runs-on: ubuntu-latest - timeout-minutes: 360 - permissions: - actions: read - contents: read - security-events: write - - steps: - - uses: actions/checkout@v6 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: javascript-typescript - # Default queries only — security-extended adds noise. - queries: security-and-quality - - - name: Autobuild - uses: github/codeql-action/autobuild@v4 - - - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:javascript-typescript" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index b891a51..e75f4ac 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,6 +1,10 @@ # .github/workflows/semgrep.yml -# Semgrep — pattern-based SAST. Free community ruleset. -# Complementary to CodeQL: catches framework misuse, OWASP patterns, dangerous APIs. +# Semgrep — pattern-based SAST on the free community ruleset. +# `semgrep ci` exits non-zero on findings, so this job GATES merges on its own. +# We don't upload SARIF to the GitHub Security tab: code scanning requires +# GitHub Advanced Security on private repos, which this repo doesn't have. +# The exit-code gate is the security control; the Security-tab UI is just a +# (paid) dashboard we forgo. name: Semgrep on: @@ -24,7 +28,6 @@ jobs: image: semgrep/semgrep permissions: contents: read - security-events: write steps: - uses: actions/checkout@v6 @@ -37,12 +40,10 @@ jobs: --config p/nextjs \ --config p/react \ --config p/owasp-top-ten \ - --config p/secrets \ - --sarif \ - --output=semgrep.sarif + --config p/secrets env: - # No SEMGREP_APP_TOKEN — runs on free community rulesets only. - # Findings appear in Security tab via SARIF upload below. + # No SEMGREP_APP_TOKEN — free community rulesets only. Findings fail + # the job (and print in the log); no Security-tab upload. SEMGREP_RULES: >- p/javascript p/typescript @@ -50,9 +51,3 @@ jobs: p/react p/owasp-top-ten p/secrets - - - name: Upload SARIF to GitHub Security - if: always() - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: semgrep.sarif