Skip to content

ci: add security-scan + semgrep + dependabot #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Cre-eD merged 12 commits into from
May 7, 2026
Merged

ci: add security-scan + semgrep + dependabot #228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9cf79bb
ci: add security-scan + semgrep + dependabot
Cre-eD May 7, 2026
5d4d273
ci: retrigger after org-access enabled
Cre-eD May 7, 2026
8a8418c
ci: retrigger after actions repo set public
Cre-eD May 7, 2026
8213095
fix(security-scan): replace placeholder credentials at source + narro…
Cre-eD May 7, 2026
9e04b51
ci: harden CI with composites; fix mongo URI test; address script-inj…
Cre-eD May 7, 2026
cf3f9bc
test(mongodb): assert on parsed URL fields, not full-string equality
Cre-eD May 7, 2026
e36ded4
chore(security-scan): per-line nosemgrep on sc.sh; drop .semgrepignore
Cre-eD May 7, 2026
b5dfb33
ci(notify): inline clickable title via notify-telegram link-url/link-…
Cre-eD May 7, 2026
27ef642
fix(branch.yaml): quote link-text expression to survive YAML colon
Cre-eD May 7, 2026
8042ced
ci(notify): clearer telegram text per workflow + use head_ref not mer…
Cre-eD May 7, 2026
95177a7
ci(notify): bump notify-telegram refs to @main now that PR#5 has merged
Cre-eD May 7, 2026
e566e2f
Merge branch 'main' into ci/security-scans
Cre-eD May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
version: 2

updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 5
labels:
- dependencies
- github-actions
commit-message:
prefix: deps
include: scope
groups:
actions-minor-and-patch:
applies-to: version-updates
update-types:
- minor
- patch

- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 10
labels:
- dependencies
- go
commit-message:
prefix: deps
include: scope
groups:
gomod-minor-and-patch:
applies-to: version-updates
update-types:
- minor
- patch
81 changes: 43 additions & 38 deletions .github/workflows/branch-preview.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Get next version
uses: reecetech/version-increment@2023.10.2
id: base-version
Expand All @@ -40,16 +40,16 @@ jobs:
cicd-bot-telegram-token: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-token }}
cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: fregante/setup-git-user@v2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
go-version: '1.25'
- name: install sc tool (latest release)
shell: bash
run: |-
curl -s "https://dist.simple-container.com/sc.sh" | bash
- name: install sc tool
uses: simple-container-com/actions/install-sc@main
- name: install welder tool
uses: simple-container-com/actions/install-welder@main
- name: prepare secrets for build
run: |
cat << EOF > ./.sc/cfg.default.yaml
Expand All @@ -70,7 +70,7 @@ jobs:
SKIP_EMBEDDINGS: "true"
run: |-
git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git
bash <(curl -Ls "https://welder.simple-container.com/welder.sh") run rebuild
welder run rebuild
- name: clean
run: |
mkdir -p dist
Expand Down Expand Up @@ -124,7 +124,7 @@ jobs:
- os: darwin
arch: amd64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand Down Expand Up @@ -166,7 +166,7 @@ jobs:
cmd: cloud-helpers
output: dist/cloud-helpers
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand All @@ -192,7 +192,7 @@ jobs:
runs-on: blacksmith-8vcpu-ubuntu-2204
needs: [prepare, build-setup]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand All @@ -217,18 +217,16 @@ jobs:
dockerfile: cloud-helpers.aws.Dockerfile
tag_prefix: "simplecontainer/cloud-helpers:aws-"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: download ${{ matrix.target }} binary
uses: actions/download-artifact@v4
with:
name: ${{ matrix.target }}-binary
path: dist
- name: fix binary permissions
run: chmod +x dist/${{ matrix.binary }}
- name: install sc tool (latest release)
shell: bash
run: |-
curl -s "https://dist.simple-container.com/sc.sh" | bash
- name: install sc tool
uses: simple-container-com/actions/install-sc@main
- name: prepare secrets for build
run: |
cat << EOF > ./.sc/cfg.default.yaml
Expand Down Expand Up @@ -267,7 +265,7 @@ jobs:
# Runs in parallel with publish-git-tag.
needs: [prepare, build-setup, build-platforms, test]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: download all sc platform artifacts
uses: actions/download-artifact@v4
with:
Expand All @@ -280,10 +278,8 @@ jobs:
path: bin
- name: fix bin tools permissions
run: chmod +x bin/*
- name: install sc tool (latest release)
shell: bash
run: |-
curl -s "https://dist.simple-container.com/sc.sh" | bash
- name: install sc tool
uses: simple-container-com/actions/install-sc@main
- name: prepare secrets for build
run: |
cat << EOF > ./.sc/cfg.default.yaml
Expand Down Expand Up @@ -319,7 +315,7 @@ jobs:
# Does not need build-platforms or publish-sc-preview. Runs in parallel with publish-sc-preview.
needs: [prepare, docker-build]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- uses: fregante/setup-git-user@v2
Expand Down Expand Up @@ -364,18 +360,17 @@ jobs:
- publish-git-tag
- docker-build
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: ${{ always() }}

- name: Extract git reference
id: extract_git_ref
if: ${{ always() }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message || github.event.workflow_run.head_commit.message }}
run: |-
cat <<'EOF' > /tmp/commit_message.txt
${{ github.event.head_commit.message || github.event.workflow_run.head_commit.message }}
EOF
message="$(cat /tmp/commit_message.txt | tr -d '\n')"
message="$(printf '%s' "$COMMIT_MESSAGE" | tr -d '\n')"
if [ ${#message} -gt 200 ]; then
truncated_message="${message:0:80}...${message: -80}"
message="$truncated_message"
Expand Down Expand Up @@ -420,29 +415,39 @@ jobs:

Docker image: \`simplecontainer/github-actions:${VERSION}\`

### Install this SC version via CLI
### Install this SC version in your CI

\`\`\`bash
SIMPLE_CONTAINER_VERSION=${VERSION} curl -s "https://dist.simple-container.com/sc.sh" | bash
\`\`\`yaml
- uses: simple-container-com/actions/install-sc@main
with:
version: ${VERSION}
\`\`\`

> Preview build from branch \`${BRANCH}\`. Running \`sc.sh\` without \`SIMPLE_CONTAINER_VERSION\` will **not** pick up this version.
> Preview build from branch \`${BRANCH}\`. The \`install-sc\` action pins the binary to the exact preview version above and verifies it on download.
ENDSUMMARY

- uses: yanzay/notify-telegram@v0.1.0
- name: Notify Telegram (success)
if: ${{ success() && !contains(needs.*.result, 'failure') }}
continue-on-error: true
uses: simple-container-com/actions/notify-telegram@main
with:
chat: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
status: ✅ preview published (${{ steps.extract_git_ref.outputs.branch }}) (v${{ needs.prepare.outputs.version }}) - ${{ steps.extract_git_ref.outputs.message }} by ${{ steps.extract_git_ref.outputs.author }}
- uses: yanzay/notify-telegram@v0.1.0
chat-id: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
text: '✅ Preview published: '
link-url: ${{ format('{0}/{1}/actions/runs/{2}', github.server_url, github.repository, github.run_id) }}
link-text: 'v${{ needs.prepare.outputs.version }}'
suffix: ' on ${{ github.head_ref || github.ref_name }} by ${{ steps.extract_git_ref.outputs.author }}'
- name: Notify Telegram (failure)
if: ${{ failure() || contains(needs.*.result, 'failure') }}
continue-on-error: true
uses: simple-container-com/actions/notify-telegram@main
with:
chat: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
status: ❗ preview failed (${{ steps.extract_git_ref.outputs.branch }}) - ${{ steps.extract_git_ref.outputs.message }} by ${{ steps.extract_git_ref.outputs.author }}
chat-id: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
text: '❗ Preview failed: '
link-url: ${{ format('{0}/{1}/actions/runs/{2}', github.server_url, github.repository, github.run_id) }}
link-text: 'v${{ needs.prepare.outputs.version }}'
suffix: ' on ${{ github.head_ref || github.ref_name }} by ${{ steps.extract_git_ref.outputs.author }}'

- name: Build failed due to previously failed steps
id: fail_if_needed
Expand Down
56 changes: 31 additions & 25 deletions .github/workflows/branch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,16 @@ jobs:
cicd-bot-telegram-token: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-token }}
cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: fregante/setup-git-user@v2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
go-version: '1.25'
- name: install sc tool (latest release)
shell: bash
run: |-
curl -s "https://dist.simple-container.com/sc.sh" | bash
- name: install sc tool
uses: simple-container-com/actions/install-sc@main
- name: install welder tool
uses: simple-container-com/actions/install-welder@main
- name: prepare secrets for build
run: |
cat << EOF > ./.sc/cfg.default.yaml
Expand All @@ -47,7 +47,7 @@ jobs:
SKIP_EMBEDDINGS: "true"
run: |-
git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git
bash <(curl -Ls "https://welder.simple-container.com/welder.sh") run rebuild
welder run rebuild
- name: clean
run: |
mkdir -p dist
Expand Down Expand Up @@ -101,7 +101,7 @@ jobs:
- os: darwin
arch: amd64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand Down Expand Up @@ -141,7 +141,7 @@ jobs:
cmd: cloud-helpers
output: dist/cloud-helpers
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand All @@ -166,7 +166,7 @@ jobs:
runs-on: blacksmith-8vcpu-ubuntu-2204
needs: build-setup
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand All @@ -187,7 +187,7 @@ jobs:
runs-on: blacksmith-8vcpu-ubuntu-2204
needs: build-setup
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go with Blacksmith caching
uses: useblacksmith/setup-go@v6
with:
Expand All @@ -209,38 +209,44 @@ jobs:
- build-github-actions-staging
- test
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: ${{ always() }}

- name: Extract git reference
id: extract_git_ref
if: ${{ always() }}
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message || github.event.workflow_run.head_commit.message }}
run: |-
cat <<'EOF' > /tmp/commit_message.txt
${{ github.event.head_commit.message || github.event.workflow_run.head_commit.message }}
EOF
message="$(cat /tmp/commit_message.txt | tr -d '\n')"
message="$(printf '%s' "$COMMIT_MESSAGE" | tr -d '\n')"
echo "branch=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
echo "message=$message" >> $GITHUB_OUTPUT
echo "author=$GITHUB_ACTOR" >> $GITHUB_OUTPUT
echo "url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT

# Notify telegram
- uses: yanzay/notify-telegram@v0.1.0
if: ${{ success() && !contains(needs.*.result, 'failure') }}
- name: Notify Telegram (success)
if: ${{ success() && !contains(needs.*.result, 'failure') }}
continue-on-error: true
uses: simple-container-com/actions/notify-telegram@main
with:
chat: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
status: ✅ success (${{ steps.extract_git_ref.outputs.branch }}) - ${{ steps.extract_git_ref.outputs.message }} by ${{ steps.extract_git_ref.outputs.author }}
- uses: yanzay/notify-telegram@v0.1.0
chat-id: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
text: '✅ CI passed: '
link-url: ${{ github.event.pull_request.html_url || format('{0}/{1}/actions/runs/{2}', github.server_url, github.repository, github.run_id) }}
link-text: "${{ github.event.pull_request.title && format('PR #{0}: {1}', github.event.pull_request.number, github.event.pull_request.title) || github.workflow }}"
suffix: ' on ${{ github.head_ref || github.ref_name }} by ${{ steps.extract_git_ref.outputs.author }}'
- name: Notify Telegram (failure)
if: ${{ failure() || contains(needs.*.result, 'failure') }}
continue-on-error: true
uses: simple-container-com/actions/notify-telegram@main
with:
chat: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
status: ❗ failure (${{ steps.extract_git_ref.outputs.branch }}) - ${{ steps.extract_git_ref.outputs.message }} by ${{ steps.extract_git_ref.outputs.author }}
chat-id: ${{ needs.build-setup.outputs.cicd-bot-telegram-chat-id }}
token: ${{ needs.build-setup.outputs.cicd-bot-telegram-token }}
text: '❗ CI failed: '
link-url: ${{ github.event.pull_request.html_url || format('{0}/{1}/actions/runs/{2}', github.server_url, github.repository, github.run_id) }}
link-text: "${{ github.event.pull_request.title && format('PR #{0}: {1}', github.event.pull_request.number, github.event.pull_request.title) || github.workflow }}"
suffix: ' on ${{ github.head_ref || github.ref_name }} by ${{ steps.extract_git_ref.outputs.author }}'

- name: Build failed due to previously failed steps
id: fail_if_needed
Expand Down
Loading
Loading