mosaic/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f537f1ca7f24bdc4f5265d2a9a24ab5897c96c4f
bootstrap/tools/quality/templates/monorepo/.woodpecker.yml
Jason Woltje f537f1ca7f feat: add gitleaks secret scanning to quality rails 
Replace non-blocking git-secrets with mandatory gitleaks scanning:
- Pre-commit: blocks commit if gitleaks not installed or secrets found
- CI: pinned gitleaks Docker image scans each commit in Woodpecker
- Shared .gitleaks.toml with 12 custom rules for database URLs,
  alembic.ini, bearer tokens, PEM keys, docker-compose secrets, etc.
- Stopwords suppress localhost/changeme/placeholder false positives
- Install/verify scripts updated for gitleaks (no longer optional)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 14:45:24 -06:00

77 lines
1.6 KiB
YAML
Raw Blame History

# Woodpecker CI Quality Enforcement Pipeline - Monorepo
when:
- event: [push, pull_request, manual]
variables:
- &node_image "node:20-alpine"
- &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
- &install_deps |
corepack enable
npm ci --ignore-scripts
steps:
# Secret scanning (runs in parallel with install, no deps)
secret-scan:
image: *gitleaks_image
commands:
- gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
depends_on: []
install:
image: *node_image
commands:
- *install_deps
security-audit:
image: *node_image
commands:
- *install_deps
- npm audit --audit-level=high
depends_on:
- install
lint:
image: *node_image
environment:
SKIP_ENV_VALIDATION: "true"
commands:
- *install_deps
- npm run lint
depends_on:
- install
typecheck:
image: *node_image
environment:
SKIP_ENV_VALIDATION: "true"
commands:
- *install_deps
- npm run type-check
depends_on:
- install
test:
image: *node_image
environment:
SKIP_ENV_VALIDATION: "true"
commands:
- *install_deps
- npm run test -- --coverage --coverageThreshold='{"global":{"branches":80,"functions":80,"lines":80,"statements":80}}'
depends_on:
- install
build:
image: *node_image
environment:
SKIP_ENV_VALIDATION: "true"
NODE_ENV: "production"
commands:
- *install_deps
- npm run build
depends_on:
- lint
- typecheck
- test
- security-audit
- secret-scan
Reference in New Issue View Git Blame Copy Permalink