nyx security scanner integration

.forgejo/workflows/nyxscanner.yml

@@ -0,0 +1,44 @@
+name: NYX Security Scan
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  nyx-scan:
+    runs-on: docker-amd64  # eine Architektur reicht für SAST
+
+    steps:
+      - name: Checkout target repo
+        uses: actions/checkout@v4
+
+      - name: Checkout nyx from Forgejo mirror
+        uses: actions/checkout@v4
+        with:
+          repository: apunkt/nyx
+          # URL deiner Forgejo-Instanz:
+          server_url: https://bitfreedom.net/code/
+          ref: master
+          path: .nyx-src
+
+      - name: Install Rust
+        uses: https://github.com/actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Build nyx from source
+        run: |
+          cd .nyx-src
+          cargo build --release
+          sudo cp target/release/nyx /usr/local/bin/nyx
+
+      - name: Run NYX scan
+        run: |
+          nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif
+
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: nyx-sarif-report
+          path: nyx-results.sarif