From 9e78e4ab663627ad1d5cd7185044fed4ea770887 Mon Sep 17 00:00:00 2001 From: Kelly Thomas Reardon Date: Tue, 12 May 2026 22:35:49 -0500 Subject: [PATCH] adding security tool stack, pre-commit steps, and gitignore additions --- .gitea/workflows/security.yaml | 78 ++++++++++++++++++++++++++++++++++ .gitignore | 16 +++++++ .pre-commit-config.yaml | 29 +++++++++++++ .vscode/settings.json | 3 +- 4 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 .gitea/workflows/security.yaml create mode 100644 .pre-commit-config.yaml diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml new file mode 100644 index 0000000..a8b8d23 --- /dev/null +++ b/.gitea/workflows/security.yaml @@ -0,0 +1,78 @@ +name: Security + +on: + pull_request: + push: + branches: + - main + - develop + +jobs: + security: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + ########################################################### + # GITLEAKS + ########################################################### + + - name: Gitleaks + run: | + docker run --rm \ + -v ${{ github.workspace }}:/repo \ + ghcr.io/gitleaks/gitleaks:latest \ + detect \ + --source /repo + + ########################################################### + # SEMGREP + ########################################################### + + - name: Semgrep + run: | + docker run --rm \ + -v ${{ github.workspace }}:/src \ + semgrep/semgrep \ + semgrep scan \ + --config auto \ + /src + + ########################################################### + # TRIVY FS + ########################################################### + + - name: Trivy Filesystem + run: | + docker run --rm \ + -v ${{ github.workspace }}:/workspace \ + aquasec/trivy:latest \ + fs \ + --scanners vuln,secret,misconfig \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + /workspace + + ########################################################### + # DOCKER IMAGE BUILD + ########################################################### + + - name: Build Image + run: | + docker build -t app:${{ github.sha }} . + + ########################################################### + # TRIVY IMAGE + ########################################################### + + - name: Trivy Image Scan + run: | + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + aquasec/trivy:latest \ + image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + app:${{ github.sha }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 9daf30a..e0aed67 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,19 @@ debug.ps1 .postmate/postmate-history.json .postmate/postmate-envs.json +# Secrets +.env +.env.* +*.pem +*.key +*.pfx +*.p12 +secrets/ +credentials/ +config.local.* + +# VS Code local settings +.vscode/settings.json + +# PowerShell +*.psd1.local \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..845a76d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,29 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.24.2 + hooks: + - id: gitleaks + + - repo: local + hooks: + - id: semgrep + name: semgrep + entry: bash -c 'docker run --rm -v "$(realpath .)":/src:Z docker.io/semgrep/semgrep semgrep scan --config auto /src' + language: system + pass_filenames: false + + - repo: local + hooks: + - id: trivy + name: trivy filesystem scan + entry: bash -c 'docker run --rm -v "$(pwd)":/workspace docker.io/aquasec/trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL /workspace' + language: system + pass_filenames: false + + - repo: local + hooks: + - id: psscriptanalyzer + name: powershell static analysis + entry: pwsh -NoProfile -Command "Import-Module PSScriptAnalyzer; Invoke-ScriptAnalyzer -Path . -Recurse -Severity Error" + language: system + pass_filenames: false \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json index e106e53..5a11575 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,3 +1,4 @@ { - "trivy.secretScanning": true + "trivy.secretScanning": true, + "semgrep.scan.onlyGitDirty": false } \ No newline at end of file