adding security tool stack, pre-commit steps, and gitignore additions

.gitea/workflows/security.yaml

@@ -0,0 +1,78 @@
+name: Security
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      ###########################################################
+      # GITLEAKS
+      ###########################################################
+
+      - name: Gitleaks
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/repo \
+            ghcr.io/gitleaks/gitleaks:latest \
+            detect \
+            --source /repo
+
+      ###########################################################
+      # SEMGREP
+      ###########################################################
+
+      - name: Semgrep
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/src \
+            semgrep/semgrep \
+            semgrep scan \
+            --config auto \
+            /src
+
+      ###########################################################
+      # TRIVY FS
+      ###########################################################
+
+      - name: Trivy Filesystem
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/workspace \
+            aquasec/trivy:latest \
+            fs \
+            --scanners vuln,secret,misconfig \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            /workspace
+
+      ###########################################################
+      # DOCKER IMAGE BUILD
+      ###########################################################
+
+      - name: Build Image
+        run: |
+          docker build -t app:${{ github.sha }} .
+
+      ###########################################################
+      # TRIVY IMAGE
+      ###########################################################
+
+      - name: Trivy Image Scan
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            aquasec/trivy:latest \
+            image \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            app:${{ github.sha }}

.gitignore

@@ -4,3 +4,19 @@
 debug.ps1
 .postmate/postmate-history.json
 .postmate/postmate-envs.json
+# Secrets
+.env
+.env.*
+*.pem
+*.key
+*.pfx
+*.p12
+secrets/
+credentials/
+config.local.*
+
+# VS Code local settings
+.vscode/settings.json
+
+# PowerShell
+*.psd1.local

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.24.2
+    hooks:
+      - id: gitleaks
+
+  - repo: local
+    hooks:
+      - id: semgrep
+        name: semgrep
+        entry: bash -c 'docker run --rm -v "$(realpath .)":/src:Z docker.io/semgrep/semgrep semgrep scan --config auto /src'
+        language: system
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: trivy
+        name: trivy filesystem scan
+        entry: bash -c 'docker run --rm -v "$(pwd)":/workspace docker.io/aquasec/trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL /workspace'
+        language: system
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: psscriptanalyzer
+        name: powershell static analysis
+        entry: pwsh -NoProfile -Command "Import-Module PSScriptAnalyzer; Invoke-ScriptAnalyzer -Path . -Recurse -Severity Error"
+        language: system
+        pass_filenames: false

.vscode/settings.json

@@ -1,3 +1,4 @@
 {
-    "trivy.secretScanning": true
+    "trivy.secretScanning": true,
+    "semgrep.scan.onlyGitDirty": false
 }