From 365ec4deecc5a165eefb58c5cb95e12a88bf3890 Mon Sep 17 00:00:00 2001 From: Dmitry Gusev Date: Sun, 24 May 2026 23:35:14 +0300 Subject: [PATCH] feat(security): security.yml + GitHub mirror + SSH origin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - security.yml: Hadolint + GitLeaks (для Next.js sag24 — также Semgrep + npm audit) - origin URL: HTTPS+PAT → SSH (убран plain-text token из git config) - all remote: dual-push в Gitea + GitHub Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/security.yml | 35 +++++++++++++++++++++++++++++++++++ .gitleaks.toml | 5 +++++ 2 files changed, 40 insertions(+) create mode 100644 .gitea/workflows/security.yml create mode 100644 .gitleaks.toml diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml new file mode 100644 index 0000000..c0caaf3 --- /dev/null +++ b/.gitea/workflows/security.yml @@ -0,0 +1,35 @@ +name: security + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + +jobs: + security: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # Hadolint — bad practices в Dockerfile + - name: Install Hadolint + run: | + curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint + chmod +x /usr/local/bin/hadolint + + - name: Run Hadolint + run: hadolint --no-fail Dockerfile || true + + # GitLeaks — поиск секретов в истории + - name: Install GitLeaks + run: | + curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ + | tar -xz -C /usr/local/bin gitleaks + chmod +x /usr/local/bin/gitleaks + + - name: Run GitLeaks + run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..d21c4ed --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,5 @@ +# GitLeaks config для redirect-контейнеров. +# Минимальный — только default rules, без специальных allowlist. + +[extend] +useDefault = true