TehRiehlBudget

TehRiehlDeal/TehRiehlBudget

Fork 0

Commit Graph

Author	SHA1	Message	Date
TehRiehlDeal	a314908c7b	Wire security scans into the CI pipeline CI / test (push) Successful in 25s Details CI / lint (push) Failing after 22s Details CI / secrets-scan (push) Failing after 13s Details CI / vuln-scan (push) Failing after 9s Details CI / sast (push) Successful in 20s Details Replace the test-only workflow with a parallel five-job pipeline: tests, lint+format, gitleaks, Trivy (fs scan + CycloneDX SBOM), and Semgrep SAST. Security scans are report-only initially so the team can baseline findings before flipping the gates to blocking. Adds .gitleaks.toml allowlists for the known dev/test placeholders so the secret scan starts at zero noise. Future build-image / image-scan / push-to-harbor stages are sketched in comments at the bottom of ci.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 15:58:56 -07:00

Author

SHA1

Message

Date

TehRiehlDeal

a314908c7b

Wire security scans into the CI pipeline

CI / test (push) Successful in 25s

Details

CI / lint (push) Failing after 22s

Details

CI / secrets-scan (push) Failing after 13s

Details

CI / vuln-scan (push) Failing after 9s

Details

CI / sast (push) Successful in 20s

Details

Replace the test-only workflow with a parallel five-job pipeline:
tests, lint+format, gitleaks, Trivy (fs scan + CycloneDX SBOM), and
Semgrep SAST. Security scans are report-only initially so the team
can baseline findings before flipping the gates to blocking. Adds
.gitleaks.toml allowlists for the known dev/test placeholders so the
secret scan starts at zero noise. Future build-image / image-scan /
push-to-harbor stages are sketched in comments at the bottom of
ci.yml.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 15:58:56 -07:00

1 Commits