diff --git a/tools/quality/README.md b/tools/quality/README.md index 44fa030..4644902 100644 --- a/tools/quality/README.md +++ b/tools/quality/README.md @@ -43,7 +43,7 @@ npx husky install ✅ **TypeScript strict mode** - All type checks enabled ✅ **ESLint blocking `any` types** - no-explicit-any: error ✅ **Pre-commit hooks** - Type check + lint + format before commit -✅ **Secret scanning** - Block hardcoded passwords/API keys +✅ **Secret scanning (gitleaks)** - Block hardcoded passwords/API keys (pre-commit + CI) ✅ **CI/CD templates** - Woodpecker, GitHub Actions, GitLab ✅ **Test coverage enforcement** - 80% threshold ✅ **Security scanning** - npm audit, OWASP checks @@ -96,11 +96,12 @@ git commit -m "Add feature" ### CI/CD (Remote Enforcement) ```yaml # Woodpecker pipeline runs: +✓ gitleaks (secret scanning — parallel, no deps) ✓ npm audit (dependency security) ✓ eslint (code quality) ✓ tsc --noEmit (type checking) ✓ jest --coverage (tests + coverage) -✓ npm run build (compilation) +✓ npm run build (compilation — gates on all above) # If any step fails, merge is blocked ``` diff --git a/tools/quality/docs/CI-SETUP.md b/tools/quality/docs/CI-SETUP.md index deade05..1aabbf7 100644 --- a/tools/quality/docs/CI-SETUP.md +++ b/tools/quality/docs/CI-SETUP.md @@ -8,12 +8,13 @@ Quality Rails includes `.woodpecker.yml` template. ### Pipeline Stages -1. **Install** - Dependencies -2. **Security Audit** - npm audit for CVEs -3. **Lint** - ESLint checks -4. **Type Check** - TypeScript compilation -5. **Test** - Jest with coverage thresholds -6. **Build** - Production build +1. **Secret Scan** - gitleaks scans latest commit for hardcoded secrets (runs in parallel, no deps) +2. **Install** - Dependencies +3. **Security Audit** - npm audit for CVEs +4. **Lint** - ESLint checks +5. **Type Check** - TypeScript compilation +6. **Test** - Jest with coverage thresholds +7. **Build** - Production build (gates on all above) ### Configuration diff --git a/tools/quality/docs/TYPESCRIPT-SETUP.md b/tools/quality/docs/TYPESCRIPT-SETUP.md index 5ca71fc..455ed24 100644 --- a/tools/quality/docs/TYPESCRIPT-SETUP.md +++ b/tools/quality/docs/TYPESCRIPT-SETUP.md @@ -24,11 +24,12 @@ git clone git@git.mosaicstack.dev:mosaic/quality-rails.git ``` This copies: -- `.husky/pre-commit` - Git hooks +- `.husky/pre-commit` - Git hooks (lint-staged + gitleaks) - `.lintstagedrc.js` - Pre-commit checks - `.eslintrc.js` - Strict ESLint rules - `tsconfig.json` - TypeScript strict mode - `.woodpecker.yml` - CI pipeline +- `.gitleaks.toml` - Secret scanning config ### 3. Install Dependencies @@ -75,6 +76,8 @@ Should output: ``` ✅ PASS: Type errors blocked ✅ PASS: 'any' types blocked +✅ PASS: gitleaks found (8.24.0) +✅ PASS: gitleaks detected planted secret ✅ PASS: Lint errors blocked ``` @@ -125,7 +128,7 @@ On every `git commit`, runs: 1. ESLint with --max-warnings=0 2. TypeScript type check 3. Prettier formatting -4. Secret scanning (if git-secrets installed) +4. Secret scanning via gitleaks (required) If any fail → **commit blocked**.