From 562ff2a9e069b3b10d336a336776e69e1e65b125 Mon Sep 17 00:00:00 2001 From: pedro Date: Fri, 8 May 2026 10:28:40 +0100 Subject: [PATCH] ci: pipeline completa com nodejs para o linter --- .gitea/workflows/deploy.yaml | 38 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index cc35513..9fe9166 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -1,7 +1,7 @@ name: "DevSecOps Enterprise Pipeline" on: push: - branches: [ main ] # Apenas deploys via branch protegida + branches: [ main ] jobs: security-gate: @@ -10,22 +10,21 @@ jobs: - name: Checkout Code uses: actions/checkout@v3 with: - fetch-depth: 0 # Necessário para o Gitleaks analisar histórico + fetch-depth: 0 - # 1. SECRET SCANNING (Deteta chaves expostas no histórico e no código) - - name: Gitleaks Scan - run: | - curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp - /tmp/gitleaks detect --source . --verbose --redact --exit-code 0 + # 1. SECRET SCANNING (Desativado temporariamente para testar o resto) + #- name: Gitleaks Scan + # run: | + # curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp + # /tmp/gitleaks detect --source . --verbose --redact --exit-code 0 - # 2. SCA (Software Composition Analysis) - Verifica vulnerabilidades no Nginx + # 2. SCA - Verifica vulnerabilidades no Nginx - name: Scan Docker Image Vulnerabilities (Trivy) run: | - # Verifica se a imagem base que estás a usar tem CVEs (vulnerabilidades) conhecidas curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin trivy image --severity HIGH,CRITICAL nginx:alpine - # 3. LINTING & QUALIDADE + # 3. LINTING & QUALIDADE (Com Node.js adicionado e sem sudo) - name: Setup Node.js uses: actions/setup-node@v3 with: @@ -35,9 +34,8 @@ jobs: run: | npm install -g htmlhint stylelint stylelint-config-standard htmlhint index.html - # Adiciona validação de CSS se tiveres ficheiros .css - # 4. SAST (Static Application Security Testing) - Análise de Código com SonarQube + # 4. SAST - Análise de Código com SonarQube - name: SonarQube Analysis run: | curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip @@ -58,27 +56,15 @@ jobs: # 5. DEPLOY ATÓMICO E HARDENING - name: Hardened Deploy run: | - # Criar um backup rápido caso o deploy falhe docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true - - # Limpeza de ambiente e remoção de ferramentas desnecessárias no container - # (Removemos shells ou gestores de pacotes se existirem para dificultar invasores) docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*" - - # Copia o ficheiro com verificação de integridade (Checksum) docker cp index.html website-test-backend:/usr/share/nginx/html/index.html - - # POLÍTICA DE PRIVILÉGIO MÍNIMO: - # Definimos o dono como root e a permissão 444 (apenas leitura para o processo nginx) docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html - - # Verifica se o site está a responder (Healthcheck pós-deploy) - # Se der erro aqui, o pipeline marca falha curl --silent --show-error --fail http://localhost:80 || exit 1 # 6. AUDITORIA DE DEPLOY - - name: Slack/Discord Notification (Opcional) + - name: Slack/Discord Notification if: always() run: | - echo "Deploy finalizado com status: ${{ job.status }}" + echo "Deploy finalizado com status: ${{ job.status }}" \ No newline at end of file