feat: SAST reusable workflows [parent]

[ms280690]

Overview

Reusable GitHub Actions workflows for Static Application Security Testing (SAST) across all Sparkgeo repositories. Covers application source code only — frontend (JS/TS/React) and backend (Python, Go, Java, Ruby, etc.) across all programming languages.

Scope boundary: IaC (Terraform, CloudFormation) and Helm/Kustomize security scanning are not covered here. Those are handled by Step 17 (checkov, kubescape) and linting issues #10, #11.

Four contexts, tool selection

#	Context	Tool	What it adds
#18	Pre-commit	semgrep	Instant pattern-based feedback before commit; language-agnostic, runs in <1s on a pre-commit hook
#19	PR / CI	codeql	Deep data-flow and taint analysis; catches multi-file injection paths that semgrep misses; GitHub-native, zero infrastructure
#20	Deployment branch	sonarqube	Quality gate (coverage, new bugs, hotspots) before promotion to main/staging/prod; PR decoration with delta findings
#21	Runtime / Ops	sonarqube	Continuous trend dashboard + weekly scheduled re-scan; catches new CVEs against existing code without a new commit

Why these tools, not others

• semgrep over snyk code (pre-commit): fully open source, no cloud API call on commit, native pre-commit hook — fast enough to be non-disruptive
• codeql over semgrep (PR/CI): data-flow and taint analysis that pattern matching cannot do; GitHub-native; free via GitHub Advanced Security
• sonarqube over codeql (deployment branch): quality gates, historical trend tracking, and PR decoration that codeql does not provide; the two tools are complementary not competing
• coderabbit: AI PR reviewer that ingests codeql/sonarqube findings and generates inline fix suggestions — not the primary scanner but a high-value complement; configure per consuming repo via coderabbit.yml

Language coverage

All four tools are language-agnostic for application source code. A single workflow config handles any combination of:

Python · Go · Java · JavaScript · TypeScript · Ruby · C# · Kotlin · Swift · PHP · Rust · Scala

No stack-specific workflow forks or language-specific inputs required.

Infrastructure prerequisite

sonarqube (#20, #21) requires a self-hosted SonarQube Community Edition instance. Deploy once per organisation via Helm (see #20 for the deployment command). All other tools (semgrep, codeql) run on GitHub-hosted runners with no additional infrastructure.

Consuming repo adoption summary

# .github/workflows/sast.yml (in each consuming repo)
name: SAST
on:
  pull_request:           # triggers #18 + #19
  push:
    branches: [main]      # triggers #20

jobs:
  semgrep:
    uses: sparkgeo/github-actions/.github/workflows/sast-precommit.yml@main

  codeql:
    uses: sparkgeo/github-actions/.github/workflows/sast-scan.yml@main
    permissions:
      security-events: write
      actions: read
      contents: read

  sonarqube:
    if: github.event_name == 'push'
    uses: sparkgeo/github-actions/.github/workflows/sast-gate.yml@main
    with:
      project-key: my-repo-name
    secrets:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}

Task list

• feat: SAST — application source code fast scan (pre-commit) #18 — Pre-commit fast scan — semgrep
• feat: SAST — application source code deep scan (PR/CI) #19 — PR/CI deep scan — codeql
• feat: SAST — quality gate on deployment branch #20 — Deployment branch quality gate — sonarqube
• feat: SAST — continuous dashboard and trend analysis (runtime/ops) #21 — Continuous dashboard and scheduled scan — sonarqube