Skip to content

feat(security): reusable SAST and secrets scanning workflows (batch 1)#12

Merged
NORSAIN-AI merged 1 commit intomainfrom
feat/security-sast-secrets
Apr 22, 2026
Merged

feat(security): reusable SAST and secrets scanning workflows (batch 1)#12
NORSAIN-AI merged 1 commit intomainfrom
feat/security-sast-secrets

Conversation

@NORSAIN-AI
Copy link
Copy Markdown
Owner

@NORSAIN-AI NORSAIN-AI commented Apr 22, 2026

Summary

First batch of reusable security workflows implementing layer 1 of the
NORSAIN layered security strategy (plan: hvordan-kan-vi-bygge-magical-hinton.md).

  • security-sast.yml — reusable Semgrep workflow. Runs semgrep ci
    when SEMGREP_APP_TOKEN is available (Platform org norsain_com,
    native PR comments, dashboard), otherwise falls back to OSS
    semgrep scan with p/trailofbits, p/owasp-top-ten,
    p/security-audit, auto. Findings are converted to rdjson and
    posted as inline PR comments via reviewdog/action-setup@v1. Fails
    the job on findings at or above the configurable fail-severity
    (default ERROR). Uploads semgrep.json/semgrep.sarif as a
    workflow artifact because SARIF-to-Security-tab is blocked on
    GHAS-less private callers.
  • security-secrets.yml — two-job reusable workflow. gitleaks runs
    on every call (PR/push) using repo-root .gitleaks.toml, posts PR
    comments, and fails on any detected secret. trufflehog runs only
    on schedule (weekly, Mon 06:00 UTC) or workflow_dispatch with
    --only-verified and opens a tracked GitHub issue via
    peter-evans/create-issue-from-file@v5 on verified findings, then
    fails the job.
  • .gitleaks.toml — NORSAIN baseline: extends gitleaks defaults with
    rules for AWS, GCP, GitHub (classic/fine-grained/app/OAuth), Slack,
    OpenAI, and Anthropic keys. Allowlist covers test fixtures,
    lockfiles, .env.example, docs examples, and canonical AWS sample
    keys.
  • README.md — new "Security Workflows" section with caller usage
    example (uses secrets: inherit).

Scope (in)

  • Two reusable workflows (security-sast.yml, security-secrets.yml)
  • Repo-root .gitleaks.toml
  • README update

Scope (out, deferred to later batches per plan)

  • security-iac.yml (Checkov)
  • security-deps.yml (OSV-Scanner)
  • security-python.yml (Ruff --select S)
  • codeql-selfhost.yml (CodeQL dogfood on this public repo)
  • semgrep/norsain-rules.yml custom ruleset
  • workflow-templates/security-full.yml starter

Follow-up after merge

After review + merge, tag v1 so consumer repos can pin
@v1. The tag is intentionally not created in this PR.

Verification

  • yamllint -c .yamllint.yaml .github/workflows/security-sast.yml .github/workflows/security-secrets.yml — only the pre-existing repo-wide document-start warning remains (no existing workflow uses ---).
  • actionlint (via rhysd/actionlint:latest container) — clean, no findings.

Test plan

  • Merge this PR and tag v1.
  • Wire a caller in agentic-orchestrator with secrets: inherit.
  • Open a PR containing a Semgrep smell (e.g. eval() of user input) — expect inline Semgrep comment on exact line; PR fails.
  • Remove SEMGREP_APP_TOKEN from org secrets — expect OSS fallback to run with Reviewdog comments; PR still fails.
  • Open a PR containing AKIAIOSFODNN7EXAMPLE outside fixtures/ — expect gitleaks fail + PR comment. Move under tests/fixtures/ — expect allowlisted.
  • Trigger security-secrets.yml via workflow_dispatch against a repo with a known verified secret — expect an issue to be created with security, secrets, priority-high labels.

@NORSAIN-AI
feat(security): add reusable SAST and secrets scanning workflows
03e5fed 
Introduces the first batch of org-shared security workflows referenced by
the layered security plan (hvordan-kan-vi-bygge-magical-hinton.md):

- .github/workflows/security-sast.yml: Semgrep SAST with graceful
  degradation. Uses `semgrep ci` when SEMGREP_APP_TOKEN is present
  (Platform org norsain_com, native PR comments), falling back to OSS
  `semgrep scan` (p/trailofbits, p/owasp-top-ten, p/security-audit,
  auto) piped through reviewdog rdjson for inline PR comments. Fails on
  findings at/above `fail-severity` (default ERROR). Uploads
  semgrep.json as a workflow artifact.
- .github/workflows/security-secrets.yml: gitleaks per PR/push with PR
  comments and fail-on-find, plus a weekly TruffleHog deep sweep
  (Mon 06:00 UTC, --only-verified) that opens a tracked issue via
  peter-evans/create-issue-from-file on verified findings. Also
  supports workflow_dispatch.
- .gitleaks.toml: NORSAIN baseline extending gitleaks defaults with
  AWS/GCP/GitHub/Slack/OpenAI/Anthropic key rules and an allowlist for
  test fixtures, lockfiles, docs examples, and canonical AWS sample
  keys.
- README.md: documents the new security workflows and caller usage.

After merge, tag `v1` to activate consumers.
Copilot AI review requested due to automatic review settings April 22, 2026 14:15
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026

⚠️ This PR must have a milestone assigned before it can be merged/closed. Please assign an appropriate milestone.

Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Denne PR-en introduserer første batch med gjenbrukbare sikkerhets-workflows i org-repoet NORSAIN-AI/.github, slik at downstream-repoer kan få en felles baseline for SAST (Semgrep) og secrets scanning (Gitleaks/TruffleHog). I tillegg legges en repo-root .gitleaks.toml baseline og dokumentasjon i README for forventet caller-oppsett.

Changes:

  • Legger til reusable Semgrep SAST-workflow med Platform-mode og OSS fallback.
  • Legger til reusable secrets-scanning workflow med Gitleaks + planlagt TruffleHog deep sweep.
  • Legger til .gitleaks.toml baseline-konfig og dokumenterer “Security Workflows” i README.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.

File Description
README.md Dokumenterer nye security-workflows og caller-eksempel
.gitleaks.toml Innfører sentral gitleaks baseline (regler + allowlist)
.github/workflows/security-secrets.yml Reusable secrets-scanning (gitleaks + trufflehog + issue)
.github/workflows/security-sast.yml Reusable Semgrep SAST med artifacts og reviewdog-basert kommentering

Comment thread .github/workflows/security-secrets.yml
Comment thread .github/workflows/security-secrets.yml
Comment thread README.md
Comment thread README.md
Comment thread .github/workflows/security-sast.yml
Comment thread .github/workflows/security-secrets.yml
Comment thread .github/workflows/security-sast.yml
Comment thread .github/workflows/security-sast.yml
Comment thread .gitleaks.toml
@NORSAIN-AI NORSAIN-AI added security Security-related issues or improvements ci-cd CI/CD and automation changes labels Apr 22, 2026
This was referenced Apr 22, 2026
Open
Open
@NORSAIN-AI NORSAIN-AI merged commit a163615 into main Apr 22, 2026
8 of 9 checks passed
@NORSAIN-AI NORSAIN-AI mentioned this pull request Apr 22, 2026
Merged
3 tasks
@NORSAIN-AI NORSAIN-AI deleted the feat/security-sast-secrets branch April 22, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

ci-cd CI/CD and automation changes needs-milestone security Security-related issues or improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NORSAIN-AI