new file: .github/workflows/security.yml

2025-10-03 16:20:58 +08:00 · 2025-08-13 22:31:07 -04:00 · 2025-08-13 22:31:07 -04:00 · 55b100a73e
commit 55b100a73e
parent fb88a9e08a
2 changed files with 57 additions and 47 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -1,47 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "main", "dev" ]
-  pull_request:
-    branches: [ "main", "dev" ]
-  schedule:
-    - cron: '0 0 * * 0' # weekly scan
-
-permissions:
-  contents: read
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze PHP and JavaScript
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'php', 'javascript' ]
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language }}
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      # If autobuild fails for PHP, uncomment and adjust:
-      # - run: composer install --no-interaction --prefer-dist
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -0,0 +1,57 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ "main", "dev" ]
+  pull_request:
+    branches: [ "main", "dev" ]
+  schedule:
+    - cron: '0 1 * * 0' # weekly
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  codeql-js:
+    name: CodeQL (JavaScript)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript"
+
+  semgrep-php:
+    name: Semgrep (PHP)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep for PHP
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >
+            p/ci
+          generateSarif: true
+          sarif: semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN || '' }}
+
+      - name: Upload SARIF (Semgrep)
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif