.gitea/workflows/pr-checks.yaml

@@ -69,7 +69,7 @@ jobs:
           git commit -m "style: apply prettier formatting"
           git push origin "HEAD:${PR_BRANCH}"
 
-  qodana:
+  security-sast:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -77,18 +77,40 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Qodana Scan
+      - name: Set up Python
-        uses: JetBrains/qodana-action@v2025.3
+        uses: actions/setup-python@v5
-        env:
-          QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
         with:
-          cache-dir: /tmp
+          python-version: '3.12'
-          results-dir: /tmp
+
-          args: -i,backend
+      - name: Install Semgrep
-          pr-mode: true
+        shell: bash
-          use-caches: false
+        run: |
-          post-pr-comment: false
+          python -m pip install --upgrade pip
-          use-annotations: true
+          python -m pip install semgrep
+
+      - name: Run Semgrep (SAST)
+        shell: bash
+        run: |
+          semgrep --config auto --error \
+            --exclude frontend/node_modules \
+            --exclude backend/build \
+            backend/src frontend/src
+
+      - name: Install Gitleaks
+        shell: bash
+        run: |
+          set -euo pipefail
+          VERSION="8.24.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
+            -o /tmp/gitleaks.tar.gz
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp
+          install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
+      - name: Run Gitleaks (secrets scan)
+        shell: bash
+        run: |
+          gitleaks detect --source . --no-git --redact --exit-code 1
 
   test-backend:
     runs-on: ubuntu-latest