From ba0a1cd1a397bf43162e903f663876ee356ce32c Mon Sep 17 00:00:00 2001
From: pedro <pedro.maio@each-cs.com>
Date: Fri, 8 May 2026 09:54:06 +0100
Subject: [PATCH] ci: adicionar integracao com sonarqube

---
 .gitea/workflows/deploy.yaml | 82 +++++++++++++++++++++++++++++++-----
 index.html                   |  3 +-
 2 files changed, 73 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 72f3213..5c0498f 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -1,19 +1,79 @@
-name: Deploy do Site
-on: [push]
+name: "DevSecOps Enterprise Pipeline"
+on:
+  push:
+    branches: [ main ] # Apenas deploys via branch protegida
+
 jobs:
-  deploy:
+  security-gate:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout do código
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # Necessário para o Gitleaks analisar histórico
+
+      # 1. SECRET SCANNING (Deteta chaves expostas no histórico e no código)
+      - name: Gitleaks Scan
+        run: |
+          curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
+          /tmp/gitleaks detect --source . --verbose --redact --fail-level error
+
+      # 2. SCA (Software Composition Analysis) - Verifica vulnerabilidades no Nginx
+      - name: Scan Docker Image Vulnerabilities (Trivy)
+        run: |
+          # Verifica se a imagem base que estás a usar tem CVEs (vulnerabilidades) conhecidas
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          trivy image --severity HIGH,CRITICAL nginx:alpine
+
+      # 3. LINTING & QUALIDADE
+      - name: HTML/CSS Linter
+        run: |
+          sudo npm install -g htmlhint stylelint stylelint-config-standard
+          htmlhint index.html
+          # Adiciona validação de CSS se tiveres ficheiros .css
+
+      # 4. SAST (Static Application Security Testing) - Análise de Código com SonarQube
+      - name: SonarQube Analysis
+        run: |
+          curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
+          unzip -q sonar-scanner.zip
+          ./sonar-scanner-5.0.1.3006-linux/bin/sonar-scanner \
+            -Dsonar.projectKey=website-test \
+            -Dsonar.sources=. \
+            -Dsonar.host.url=http://51.89.40.2:9000 \
+            -Dsonar.token=${{ secrets.SONAR_TOKEN }}
+
+  deploy:
+    needs: security-gate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
         uses: actions/checkout@v3
 
-      - name: Copiar e Corrigir Permissões
+      # 5. DEPLOY ATÓMICO E HARDENING
+      - name: Hardened Deploy
         run: |
-          # 1. Limpa os ficheiros antigos
-          docker exec website-test-backend rm -rf /usr/share/nginx/html/*
+          # Criar um backup rápido caso o deploy falhe
+          docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
+
+          # Limpeza de ambiente e remoção de ferramentas desnecessárias no container
+          # (Removemos shells ou gestores de pacotes se existirem para dificultar invasores)
+          docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
+
+          # Copia o ficheiro com verificação de integridade (Checksum)
+          docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
           
-          # 2. Copia os novos ficheiros
-          docker cp . website-test-backend:/usr/share/nginx/html/
+          # POLÍTICA DE PRIVILÉGIO MÍNIMO:
+          # Definimos o dono como root e a permissão 444 (apenas leitura para o processo nginx)
+          docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
+          docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
           
-          # 3. FIX: Garante permissões de leitura para o Nginx (o "porteiro")
-          docker exec website-test-backend chmod -R 755 /usr/share/nginx/html/
\ No newline at end of file
+          # Verifica se o site está a responder (Healthcheck pós-deploy)
+          # Se der erro aqui, o pipeline marca falha
+          curl --silent --show-error --fail http://localhost:80 || exit 1
+
+      # 6. AUDITORIA DE DEPLOY
+      - name: Slack/Discord Notification (Opcional)
+        if: always()
+        run: |
+          echo "Deploy finalizado com status: ${{ job.status }}"
\ No newline at end of file
diff --git a/index.html b/index.html
index 9d2ea32..5c3eaa0 100644
--- a/index.html
+++ b/index.html
@@ -7,7 +7,8 @@
     <script src="https://cdn.tailwindcss.com"></script>
 </head>
 <body class="bg-gray-50 text-gray-900 font-sans">
-
+<!-- TODO: Remover esta chave de teste antes de ir para produção -->
+<!-- export AWS_SECRET_KEY=AKIAIMNO78987EXAMPLE -->
     <nav class="sticky top-0 bg-white/90 backdrop-blur-sm z-50 border-b border-gray-100 py-4 px-6 flex justify-between items-center">
         <div class="text-2xl font-black text-blue-700 tracking-tighter">NEXUS<span class="text-gray-400">.</span></div>
         <div class="hidden md:flex space-x-8 font-medium text-gray-600">