Files
apf_portal/.gitea/workflows/security-scheduled.yml
T
Julien Gautier f35045f3e8
CI / commits (pull_request) Successful in 1m52s
CI / check (pull_request) Successful in 2m1s
CI / scan (pull_request) Successful in 2m3s
CI / a11y (pull_request) Successful in 2m15s
CI / perf (pull_request) Successful in 4m40s
fix(ci): run scanners before pnpm install to avoid node_modules false positives
First successful gitleaks run flagged 381 "leaks" — all of them
inside `node_modules/` and `.pnpm-store/`, populated by the
`pnpm install --frozen-lockfile` step that runs earlier in the
job. Upstream packages routinely embed demo RSA keys / fake API
tokens in their READMEs and test fixtures, and gitleaks
(correctly, by its rules) flags them all. This is the same class
of false-positive Trivy hit before us in #49.

Move both scanners (Trivy + gitleaks) to BEFORE `pnpm install`:

- Trivy scans `pnpm-lock.yaml` for vulns; the lockfile is
  committed, no install required.
- Gitleaks scans the working tree (`--no-git --source .` in
  ci.yml; deep history in security-scheduled.yml). Without
  `pnpm install`, the only files present are our own source
  code, which is what we actually want to scan.
- `pnpm audit` reads `pnpm-lock.yaml` against the advisory DB —
  also doesn't need node_modules. The install before audit
  remains for the workspace-integrity sanity check.

Net result: clean scans, no allowlist file to maintain, scanners
run faster (smaller tree to walk).

The ordering rationale is documented inline at the top of each
job's `steps:` block so a future contributor doesn't innocently
shuffle the steps and re-introduce the false-positive flood.

Apply the same reordering to `security-scheduled.yml` for
consistency, even though its deep-history gitleaks scan does not
suffer the same false positives (history does not contain
node_modules; gitignored from day one).
2026-05-08 00:17:02 +02:00

102 lines
4.0 KiB
YAML

# Per ADR-0015 (CI/CD on Gitea Actions). Weekly full-tree security
# scans plus a Lighthouse run against the production environment when
# its URL is configured. Complements the per-PR ci.yml workflow with
# broader / longer-running checks that don't fit the per-PR budget.
name: Security and perf — scheduled
on:
schedule:
# Mondays, 04:00 UTC — outside business hours; before the week starts.
- cron: '0 4 * * 1'
workflow_dispatch:
jobs:
full-tree-scan:
runs-on: [self-hosted, on-prem]
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
# so the working tree is not polluted with node_modules content
# (READMEs / fixtures of upstream packages contain demo
# secrets that gitleaks false-positives on by the hundreds).
# The deep-history gitleaks scan here doesn't strictly need it
# (history doesn't contain node_modules), but consistency with
# ci.yml keeps the two workflows reading the same way.
steps:
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
# shallow + working-tree-only; this scheduled job is where we
# do the deep history scan that catches secrets ever committed
# (and not just what's currently checked in).
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
# gate filters by severity for speed; this run wants the full
# surface for the security feed). Manual install + curl, same
# pattern as ci.yml — see the rationale there.
- name: Install Trivy
env:
TRIVY_VERSION: '0.70.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/trivy.tar.gz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
trivy --version
- name: Run Trivy
run: |
trivy fs \
--scanners vuln \
--ignore-unfixed \
.
# Deep gitleaks scan (full git history). Same install pattern as
# ci.yml. `--redact` masks any matched secret in the log so we
# don't leak it via CI logs themselves.
- name: Install gitleaks
env:
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks (full history)
run: |
gitleaks detect \
--source . \
--redact \
--exit-code 1
# npm-advisory check (against pnpm-lock.yaml). Run last so
# `pnpm install` does not pollute the working tree before the
# scanners above.
- run: pnpm install --frozen-lockfile
- run: pnpm audit
lighthouse-prod:
# Skipped silently if the prod URL hasn't been configured yet.
if: vars.LHCI_PROD_URL != ''
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
- run: pnpm exec lhci assert --config=./lighthouserc.js
- uses: actions/upload-artifact@v7
if: always()
with:
name: lighthouseci-prod-report
path: .lighthouseci/
retention-days: 90