TehRiehlDeal
a314908c7b
Replace the test-only workflow with a parallel five-job pipeline: tests, lint+format, gitleaks, Trivy (fs scan + CycloneDX SBOM), and Semgrep SAST. Security scans are report-only initially so the team can baseline findings before flipping the gates to blocking. Adds .gitleaks.toml allowlists for the known dev/test placeholders so the secret scan starts at zero noise. Future build-image / image-scan / push-to-harbor stages are sketched in comments at the bottom of ci.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
24 lines
590 B
TOML
24 lines
590 B
TOML
# Gitleaks configuration
|
|
# Extends the built-in default ruleset and adds allowlists for known
|
|
# non-secret values that would otherwise trip the scan.
|
|
|
|
[extend]
|
|
useDefault = true
|
|
|
|
[allowlist]
|
|
description = "Known dev/test placeholders and generated artifacts"
|
|
|
|
regexes = [
|
|
# Frontend test env value, set in .gitea/workflows/ci.yml
|
|
'''placeholder-anon-key-for-tests-only''',
|
|
# Local-only Postgres password in docker-compose.yml (dev container)
|
|
'''development_password''',
|
|
]
|
|
|
|
paths = [
|
|
'''pnpm-lock\.yaml''',
|
|
'''.*/coverage/.*''',
|
|
'''.*/dist/.*''',
|
|
'''.*/node_modules/.*''',
|
|
]
|