ci(security): add Semgrep XXE rule and CI scan job

Add .semgrep/security.yml with rules for DocumentBuilderFactory, SAXParserFactory, and XMLInputFactory without XXE hardening (CWE-611). Add semgrep-scan CI job — runs in parallel with backend-unit-tests, local rules only, --error flag fails the build on any match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:48:46 +02:00
parent 25a39fca9c
commit f15ea031d1
2 changed files with 69 additions and 0 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -276,6 +276,26 @@ jobs:
          echo "$dump" | grep -qE "\['add', 'familienarchiv-auth', 'polling'\]" \
            || { echo "FAIL: familienarchiv-auth jail did not resolve to 'polling' backend"; exit 1; }

+  # ─── Semgrep Security Scan ───────────────────────────────────────────────────
+  # Catches XXE-unprotected XML parser factories and similar patterns defined in
+  # .semgrep/security.yml. Runs in parallel with backend-unit-tests for fast feedback.
+  # Uses local rules only (no SEMGREP_APP_TOKEN / OIDC — act_runner does not support it).
+  semgrep-scan:
+    name: Semgrep Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Semgrep
+        run: pip install semgrep
+
+      - name: Run security rules
+        run: semgrep --config .semgrep/security.yml --error --metrics=off backend/src/
+
  # ─── Compose Bucket-Bootstrap Idempotency ─────────────────────────────────────
  # docker-compose.prod.yml's create-buckets service runs on every
  # `docker compose up` (one-shot, no restart). Must be idempotent — a