save progress

.gitea/workflows/secrets-scan.yml

@@ -0,0 +1,105 @@
+# Secrets Scanning Workflow
+# Sprint: CI/CD Enhancement - Security Scanning
+#
+# Purpose: Detect hardcoded secrets, API keys, and credentials in code
+# Triggers: Push to main/develop, all PRs
+#
+# Tool: PLACEHOLDER - Choose one: TruffleHog, Gitleaks, or Semgrep
+
+name: Secrets Scanning
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      scan_history:
+        description: 'Scan full git history'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  secrets-scan:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: ${{ github.event.inputs.scan_history == 'true' && 0 || 50 }}
+
+      # PLACEHOLDER: Choose your secrets scanner
+      # Option 1: TruffleHog (recommended - comprehensive, low false positives)
+      # Option 2: Gitleaks (fast, good for CI)
+      # Option 3: Semgrep (if already using for SAST)
+
+      - name: TruffleHog Scan
+        id: trufflehog
+        # Uncomment when ready to use TruffleHog:
+        # uses: trufflesecurity/trufflehog@main
+        # with:
+        #   extra_args: --only-verified
+        run: |
+          echo "::notice::Secrets scanning placeholder - configure scanner below"
+          echo ""
+          echo "Available options:"
+          echo "  1. TruffleHog: trufflesecurity/trufflehog@main"
+          echo "  2. Gitleaks: gitleaks/gitleaks-action@v2"
+          echo "  3. Semgrep: returntocorp/semgrep-action@v1"
+          echo ""
+          echo "To enable, uncomment the appropriate action above"
+
+      # Alternative: Gitleaks
+      # - name: Gitleaks Scan
+      #   uses: gitleaks/gitleaks-action@v2
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #     GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+
+      # Alternative: Semgrep (secrets rules)
+      # - name: Semgrep Secrets Scan
+      #   uses: returntocorp/semgrep-action@v1
+      #   with:
+      #     config: p/secrets
+
+      - name: Upload scan results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: secrets-scan-results
+          path: |
+            **/trufflehog-*.json
+            **/gitleaks-*.json
+            **/semgrep-*.json
+          retention-days: 30
+          if-no-files-found: ignore
+
+  summary:
+    name: Scan Summary
+    runs-on: ubuntu-latest
+    needs: [secrets-scan]
+    if: always()
+
+    steps:
+      - name: Generate summary
+        run: |
+          echo "## Secrets Scanning Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          if [[ "${{ needs.secrets-scan.result }}" == "success" ]]; then
+            echo "### No secrets detected" >> $GITHUB_STEP_SUMMARY
+          elif [[ "${{ needs.secrets-scan.result }}" == "failure" ]]; then
+            echo "### Secrets detected - review required" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Please review the scan artifacts for details." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "### Scan status: ${{ needs.secrets-scan.result }}" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Scanner:** Placeholder (configure in workflow)" >> $GITHUB_STEP_SUMMARY
+          echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY