diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml new file mode 100644 index 0000000..c0caaf3 --- /dev/null +++ b/.gitea/workflows/security.yml @@ -0,0 +1,35 @@ +name: security + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + +jobs: + security: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # Hadolint — bad practices в Dockerfile + - name: Install Hadolint + run: | + curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint + chmod +x /usr/local/bin/hadolint + + - name: Run Hadolint + run: hadolint --no-fail Dockerfile || true + + # GitLeaks — поиск секретов в истории + - name: Install GitLeaks + run: | + curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ + | tar -xz -C /usr/local/bin gitleaks + chmod +x /usr/local/bin/gitleaks + + - name: Run GitLeaks + run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..d21c4ed --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,5 @@ +# GitLeaks config для redirect-контейнеров. +# Минимальный — только default rules, без специальных allowlist. + +[extend] +useDefault = true