Commit Graph

3 Commits

Author SHA1 Message Date
Dmitry Gusev
23c8deebd2 chore(security): .gitignore + .gitleaks.toml защита от CMS-export leak
All checks were successful
deploy / deploy (push) Successful in 1m2s
security / security (push) Successful in 2m45s
Превентивная защита от случайной публикации content/logs, content/data, ghost.*.json (см. инцидент moovg_ru 2026-05-24).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 20:09:23 +03:00
Dmitry Gusev
2a539705e7 fix(security): npm audit fix + GitLeaks allowlist for indexnow.js
All checks were successful
deploy / deploy (push) Successful in 1m5s
security / security (push) Successful in 2m42s
- npm audit fix: устранены 5 vulnerabilities (где возможно без --force):
  - path-to-regexp <0.1.13 (ReDoS, HIGH)
  - nodemailer 6.x patch
  - qs 6.7.x DoS (transitively через body-parser + express)

- .gitleaks.toml: расширен allowlist для scripts/indexnow.js* и
  scripts/indexnow-ping.sh — содержат публичный IndexNow KEY, не секрет.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 19:11:10 +03:00
Dmitry Gusev
df3d3d32b8 fix(security): GitLeaks allowlist + Dockerfile DL4006 + npm audit в CI
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled
GitLeaks: 8 false-positives на vgrf_ru (IndexNow public key + legacy
WP plugin code) — добавлен .gitleaks.toml с allowlist:
- public/<32hex>.txt + корневой <32hex>.txt (IndexNow validation files)
- wp-content/** (legacy WordPress plugin code, не настоящие секреты)
- const KEY = '<32hex>' паттерн

Hadolint DL4006: добавлен SHELL pipefail в начале каждой stage.

npm audit: убран из Dockerfile (там кэшировался Docker layer'ом и
по факту не запускался при unchanged package-lock.json). Вынесен в
.gitea/workflows/security.yml как отдельный job — каждый push, реально.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 18:54:02 +03:00