feat(security): security.yml + GitHub mirror + SSH origin
All checks were successful
security / security (push) Successful in 8s

- security.yml: Hadolint + GitLeaks (для Next.js sag24 — также Semgrep + npm audit)

- origin URL: HTTPS+PAT → SSH (убран plain-text token из git config)

- all remote: dual-push в Gitea + GitHub

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Dmitry Gusev
2026-05-24 23:35:14 +03:00
parent 233af27773
commit 365ec4deec
2 changed files with 40 additions and 0 deletions

View File

@@ -0,0 +1,35 @@
name: security
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Hadolint — bad practices в Dockerfile
- name: Install Hadolint
run: |
curl -sSL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
chmod +x /usr/local/bin/hadolint
- name: Run Hadolint
run: hadolint --no-fail Dockerfile || true
# GitLeaks — поиск секретов в истории
- name: Install GitLeaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar -xz -C /usr/local/bin gitleaks
chmod +x /usr/local/bin/gitleaks
- name: Run GitLeaks
run: gitleaks detect --source . --no-banner --verbose --redact --exit-code 0 || true

5
.gitleaks.toml Normal file
View File

@@ -0,0 +1,5 @@
# GitLeaks config для redirect-контейнеров.
# Минимальный — только default rules, без специальных allowlist.
[extend]
useDefault = true