fix(security): GitLeaks allowlist + Dockerfile DL4006 + npm audit в CI
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled

GitLeaks: 8 false-positives на vgrf_ru (IndexNow public key + legacy
WP plugin code) — добавлен .gitleaks.toml с allowlist:
- public/<32hex>.txt + корневой <32hex>.txt (IndexNow validation files)
- wp-content/** (legacy WordPress plugin code, не настоящие секреты)
- const KEY = '<32hex>' паттерн

Hadolint DL4006: добавлен SHELL pipefail в начале каждой stage.

npm audit: убран из Dockerfile (там кэшировался Docker layer'ом и
по факту не запускался при unchanged package-lock.json). Вынесен в
.gitea/workflows/security.yml как отдельный job — каждый push, реально.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
striker
2026-05-24 18:54:06 +03:00
parent a32346fc3d
commit c2704ec3a1
3 changed files with 52 additions and 3 deletions

View File

@@ -3,13 +3,11 @@
# ─── Stage 1: build static site (Astro SSG) ────────────────────────────────
FROM node:22-alpine AS build
WORKDIR /app
SHELL ["/bin/sh", "-o", "pipefail", "-c"]
COPY package.json package-lock.json* ./
RUN npm install --no-audit --no-fund
# Security: npm audit для HIGH/CRITICAL CVE в зависимостях (warning-only).
RUN npm audit --audit-level=high --omit=dev 2>&1 | tee /tmp/npm-audit.log || true
COPY . .
RUN npm run build