mosaic/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update quality rails docs for gitleaks migration

Browse Source 
- TYPESCRIPT-SETUP.md: replace stale git-secrets ref with gitleaks,
  add .gitleaks.toml to copied files list, update expected verify output
- CI-SETUP.md: add secret-scan as first pipeline stage
- README.md: clarify gitleaks in "What You Get" and CI section

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-24 15:33:00 -06:00
parent 38223c8ec2
commit 83491c8ff1
3 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tools/quality/README.md
View File

@@ -43,7 +43,7 @@ npx husky install
**TypeScript strict mode** - All type checks enabled
**ESLint blocking `any` types** - no-explicit-any: error
**Pre-commit hooks** - Type check + lint + format before commit
**Secret scanning** - Block hardcoded passwords/API keys
**Secret scanning (gitleaks)** - Block hardcoded passwords/API keys (pre-commit + CI)
**CI/CD templates** - Woodpecker, GitHub Actions, GitLab
**Test coverage enforcement** - 80% threshold
**Security scanning** - npm audit, OWASP checks
@@ -96,11 +96,12 @@ git commit -m "Add feature"
### CI/CD (Remote Enforcement)
```yaml
# Woodpecker pipeline runs:
✓ gitleaks (secret scanning — parallel, no deps)
✓ npm audit (dependency security)
✓ eslint (code quality)
✓ tsc --noEmit (type checking)
✓ jest --coverage (tests + coverage)
✓ npm run build (compilation)
✓ npm run build (compilation — gates on all above)
# If any step fails, merge is blocked
```

13
tools/quality/docs/CI-SETUP.md
View File

@@ -8,12 +8,13 @@ Quality Rails includes `.woodpecker.yml` template.
### Pipeline Stages
1. **Install** - Dependencies
2. **Security Audit** - npm audit for CVEs
3. **Lint** - ESLint checks
4. **Type Check** - TypeScript compilation
5. **Test** - Jest with coverage thresholds
6. **Build** - Production build
1. **Secret Scan** - gitleaks scans latest commit for hardcoded secrets (runs in parallel, no deps)
2. **Install** - Dependencies
3. **Security Audit** - npm audit for CVEs
4. **Lint** - ESLint checks
5. **Type Check** - TypeScript compilation
6. **Test** - Jest with coverage thresholds
7. **Build** - Production build (gates on all above)
### Configuration

7
tools/quality/docs/TYPESCRIPT-SETUP.md
View File

@@ -24,11 +24,12 @@ git clone git@git.mosaicstack.dev:mosaic/quality-rails.git
```
This copies:
- `.husky/pre-commit` - Git hooks
- `.husky/pre-commit` - Git hooks (lint-staged + gitleaks)
- `.lintstagedrc.js` - Pre-commit checks
- `.eslintrc.js` - Strict ESLint rules
- `tsconfig.json` - TypeScript strict mode
- `.woodpecker.yml` - CI pipeline
- `.gitleaks.toml` - Secret scanning config
### 3. Install Dependencies
@@ -75,6 +76,8 @@ Should output:
```
✅ PASS: Type errors blocked
✅ PASS: 'any' types blocked
✅ PASS: gitleaks found (8.24.0)
✅ PASS: gitleaks detected planted secret
✅ PASS: Lint errors blocked
```
@@ -125,7 +128,7 @@ On every `git commit`, runs:
1. ESLint with --max-warnings=0
2. TypeScript type check
3. Prettier formatting
4. Secret scanning (if git-secrets installed)
4. Secret scanning via gitleaks (required)
If any fail → **commit blocked**.