ci: switch to gitleaks #46
6 changed files with 9 additions and 14 deletions
10
.github/workflows/default-ci.yaml
vendored
10
.github/workflows/default-ci.yaml
vendored
|
|
@ -21,16 +21,6 @@ on:
|
|||
branches: ["main"]
|
||||
|
||||
jobs:
|
||||
secret-scan:
|
||||
name: "Secret Scanner (TruffleHog)"
|
||||
runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-docker' }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v7
|
||||
|
||||
- name: TruffleHog Scan
|
||||
uses: edplato/trufflehog-actions-scan@master
|
||||
|
||||
todo-check:
|
||||
name: "Check for Open TODOs"
|
||||
runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'stackit-ubuntu-22' }}
|
||||
|
|
|
|||
|
|
@ -58,6 +58,11 @@ repos:
|
|||
- id: prettier
|
||||
types_or: [javascript, yaml, json, markdown]
|
||||
|
||||
- repo: https://github.com/gitleaks/gitleaks
|
||||
rev: v8.24.2
|
||||
hooks:
|
||||
- id: gitleaks
|
||||
|
||||
- repo: local
|
||||
hooks:
|
||||
# Requires `addlicense` to be installed locally (go install github.com/google/addlicense@latest)
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ To maintain a clean and secure codebase, we enforce a strict CI pipeline on all
|
|||
```
|
||||
|
||||
- **Terraform file naming:** All `.tf` files in examples **must** be prefixed with exactly 3 digits to enforce consistent ordering (e.g., `010-provider.tf`, `020-variables.tf`, `030-resources.tf`, `100-outputs.tf`). Files inside `modules/` directories are exempt from this rule. This check is enforced automatically by pre-commit.
|
||||
- **Scan for Secrets:** Never commit credentials. We use `trufflehog` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code.
|
||||
- **Scan for Secrets:** Never commit credentials. We use `gitleaks` in the CI pipeline. Ensure you have no hardcoded tokens or passwords in your code.
|
||||
|
||||
### Repository structure
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ To ensure high standards and security, we follow a strict contribution process:
|
|||
- **Automated Validation:** Every Pull Request must pass the CI pipeline, which includes:
|
||||
- Linting and formatting checks.
|
||||
- License header verification (Apache 2.0).
|
||||
- Secret scanning (Trufflehog).
|
||||
- Secret scanning (GitLeaks).
|
||||
- **Best Effort Policy:** While we strive for quality, the content is provided "as-is." Use in production environments requires independent validation by the user.
|
||||
|
||||
## 4. Mirroring Process
|
||||
|
|
|
|||
|
|
@ -22,6 +22,6 @@ locals {
|
|||
|
||||
output "pg_connection_uri" {
|
||||
description = "PostgreSQL Flex User Connection String"
|
||||
value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" # trufflehog:ignore
|
||||
value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require"
|
||||
sensitive = true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ This module contains the core infrastructure configuration. It uses the `pg` bac
|
|||
1. Create a `backend.conf` file in this directory and define the connection string using the credentials generated by the bootstrap module:
|
||||
|
||||
```ini
|
||||
conn_str = "postgres://tf_state_user:<PASSWORD>@<STACKIT_INSTANCE_HOST>:5432/terraform_state?sslmode=require" # trufflehog:ignore
|
||||
conn_str = "postgres://tf_state_user:<PASSWORD>@<STACKIT_INSTANCE_HOST>:5432/terraform_state?sslmode=require"
|
||||
```
|
||||
|
||||
2. Initialize Terraform and bind it to the remote PostgreSQL backend
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue