Files
apf_portal/.gitea
julien a0e8e095d0
CI / check (push) Successful in 2m26s
CI / commits (push) Has been skipped
CI / scan (push) Successful in 2m48s
CI / a11y (push) Successful in 1m32s
CI / perf (push) Successful in 3m51s
fix(ci): run scanners before pnpm install to avoid node_modules false positives (#51)
## Summary
First successful gitleaks run flagged **381 "leaks"** — all inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that ran earlier in the job. Upstream npm packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks correctly (by its rules) flags them.

Same class of false-positive Trivy hit in #49 — solved there by `--scanners vuln`. Here, the cleanest solution is **reordering**: run the scanners *before* `pnpm install`, so the working tree contains only our committed source.

- **Trivy** scans `pnpm-lock.yaml` (committed) — doesn't need install.
- **Gitleaks** scans the working tree (`--no-git --source .` in ci.yml) — doesn't need install.
- **pnpm audit** reads `pnpm-lock.yaml` against the advisory DB — also doesn't need install. The install before audit remains for the workspace-integrity sanity check.

The ordering rationale is committed as a comment at the top of each job's `steps:` block, so a future contributor doesn't innocently shuffle the steps and re-flood the gate with FPs.

Same reordering applied to `.gitea/workflows/security-scheduled.yml` for consistency, even though its deep-history gitleaks scan doesn't suffer this issue (`node_modules` is `.gitignore`d from day one — never in history).

## Test plan
- [ ] `scan` job goes green end-to-end on this PR — gitleaks reports 0 leaks (or only real ones from our source, none expected).
- [ ] On `push` to main post-merge, scan stays green.
- [ ] Trigger `security-scheduled` manually before next Monday's cron to verify the same ordering doesn't break the deep scan.

## After this PR
With #43 (TS/ESLint reverts), #45 (Trivy install), #49 (Trivy `--scanners vuln`), #50 (gitleaks install), and now this — every gate of the CI pipeline should be green end-to-end. Phase-1 CI bring-up is then complete and we can move to **A — local infra recipe** (Postgres + Redis + OTel Collector).

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #51
2026-05-08 00:18:56 +02:00
..