Modificar .gitea/workflows/deploy.yaml

deploy updated

.gitea/workflows/deploy.yaml

@@ -4,7 +4,7 @@ on:
     branches: [ main ]
 
 jobs:
-  security-gate:
+  security-gate-and-deploy:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
@@ -12,19 +12,23 @@ jobs:
         with:
           fetch-depth: 0
 
-      # 1. SECRET SCANNING (Ativo: Ignora o commit antigo graças ao .gitleaksignore, mas bloqueia novas fugas)
+      # ==========================================
+      # STAGE 1: STATIC SECURITY TESTING (SAST, SCA)
+      # ==========================================
+
+      # 1.1. Secret Scanning: Detect hardcoded secrets and credentials
       - name: Gitleaks Scan
         run: |
           curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
-          /tmp/gitleaks detect --source . --verbose --redact --exit-code 1
+          /tmp/gitleaks protect --source . --verbose --redact --staged --exit-code 1
 
-      # 2. SCA - Verifica vulnerabilidades no Nginx
+      # 1.2. Software Composition Analysis (SCA): Check for infrastructure vulnerabilities
       - name: Scan Docker Image Vulnerabilities (Trivy)
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
           trivy image --severity HIGH,CRITICAL nginx:alpine
 
-      # 3. SAST - Análise de Código com SonarQube
+      # 1.3. Static Application Security Testing (SAST): Source code quality and security
       - name: SonarQube Analysis
         run: |
           curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
@@ -33,28 +37,107 @@ jobs:
             -Dsonar.projectKey=website-test \
             -Dsonar.sources=. \
             -Dsonar.host.url=http://51.89.40.2:9000 \
-            -Dsonar.token=${{ secrets.SONAR_TOKEN }}
+            -Dsonar.token=${{ secrets.SONAR_TOKEN }} \
+            -Dsonar.qualitygate.wait=true
 
-  deploy:
+      # ==========================================
-    needs: security-gate
+      # STAGE 2: DYNAMIC TEST ENVIRONMENT
-    runs-on: ubuntu-latest
+      # ==========================================
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
 
-      # 4. DEPLOY ATÓMICO E HARDENING
+      - name: Provision Ephemeral Sandbox
-      - name: Hardened Deploy
         run: |
-          docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
+          # Remove any residual sandbox containers
-          docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
+          docker rm -f website-test-sandbox || true
-          docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
-          docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
-          docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
-          # Testar o acesso local por dentro do próprio container Nginx
-          docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
           
-      # 5. AUDITORIA DE DEPLOY
+          # Deploy sandbox. Using Docker internal network prevents external exposure.
-      - name: Slack/Discord Notification
+          docker run -d --name website-test-sandbox nginx:alpine
+          
+          # Copy the current codebase to the sandbox container
+          docker cp index.html website-test-sandbox:/usr/share/nginx/html/index.html
+          
+          # Allow Nginx service to initialize
+          sleep 5
+
+      # ==========================================
+      # STAGE 3: DYNAMIC APPLICATION SECURITY TESTING
+      # ==========================================
+
+      - name: OWASP ZAP Baseline Scan
+        run: |
+          # Initialize test report directory
+          mkdir -p qatests
+          
+          # PREVENTIVE CLEANUP: Ensure no leftover containers or volumes exist
+          docker rm -f zap-scanner || true
+          docker volume rm zap-reports || true
+          
+          # Create a managed Docker volume to prevent host/runner path conflicts
+          docker volume create zap-reports
+          
+          # Execute ZAP scan mounting the managed volume. 
+          # The '-I' flag ensures the pipeline doesn't fail on warnings.
+          docker run --user root --name zap-scanner \
+            --link website-test-sandbox:website-test-sandbox \
+            -v zap-reports:/zap/wrk/:rw \
+            -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
+            -t http://website-test-sandbox \
+            -r report.html \
+            -I || true
+          
+          # Extract the HTML report from the ZAP container to the runner workspace
+          docker cp zap-scanner:/zap/wrk/report.html qatests/report.html
+          
+          # Teardown ZAP container and volume to free up resources
+          docker rm -f zap-scanner || true
+          docker volume rm zap-reports || true
+
+      # Ensure sandbox is destroyed even if previous DAST steps fail
+      - name: Teardown Ephemeral Sandbox
         if: always()
         run: |
-          echo "Deploy finalizado com status: ${{ job.status }}"
+          docker rm -f website-test-sandbox || true
+
+      # ==========================================
+      # STAGE 4: PRODUCTION DEPLOYMENT
+      # ==========================================
+
+      - name: Hardened Production Deployment
+        run: |
+          # Create a backup of the current production state
+          docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
+          
+          # Clear the production directory and deploy the approved artifact
+          docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
+          docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
+          
+          # Apply strict file system permissions (Hardening)
+          docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
+          docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
+          
+          # Healthcheck: Verify local response from the production container
+          docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
+
+      # ==========================================
+      # STAGE 5: ARTIFACT MANAGEMENT & REPORTING
+      # ==========================================
+      
+      - name: Publish ZAP Report to Production Web Server
+        if: always()
+        run: |
+          # Host the report directly on the Nginx container to bypass Gitea's artifact download bug
+          # Accessible at: http://51.89.40.2:8080/zap-report.html
+          docker cp qatests/report.html website-test-backend:/usr/share/nginx/html/zap-report.html || true
+          docker exec website-test-backend chmod 444 /usr/share/nginx/html/zap-report.html || true
+
+      - name: Archive ZAP Report (Raw HTML)
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: owasp-zap-report
+          # Upload the raw HTML file to Gitea Artifacts
+          path: qatests/report.html
+
+      - name: Pipeline Status Notification
+        if: always()
+        run: |
+          echo "Pipeline finished with status: ${{ job.status }}"

.gitleaksignore

@@ -1,2 +0,0 @@
-[allowlist]
-commits = [ "ba0a1cd1a397bf43162e903f663876ee356ce32c" ]

forcar_trigger.txt

@@ -1 +0,0 @@
-"atualizacao-pipelines" 

index.html

@@ -3,12 +3,10 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Nexus Solutions | Inovação Tecnológica</title>
+	<title>Nexus Solutions | Segurança e Inovação 2026</title>
     <script src="https://cdn.tailwindcss.com"></script>
 </head>
 <body class="bg-gray-50 text-gray-900 font-sans">
-<!-- TODO: Remover esta chave de teste antes de ir para produção -->
-
     <nav class="sticky top-0 bg-white/90 backdrop-blur-sm z-50 border-b border-gray-100 py-4 px-6 flex justify-between items-center">
         <div class="text-2xl font-black text-blue-700 tracking-tighter">NEXUS<span class="text-gray-400">.</span></div>
         <div class="hidden md:flex space-x-8 font-medium text-gray-600">

trigger.txt

@@ -1 +0,0 @@
-"teste"