4nk/sdk_signer
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(release): latest 0.1.1 + sécurité/CI/docs

Browse Source
This commit is contained in:
Nicolas Cantu 2025-08-27 14:01:28 +02:00
parent 40c59387fc
commit 81a6584010
5 changed files with 67 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.gitea/workflows/ci.yml
View File

@ -258,11 +258,28 @@ jobs:
run: |
echo "Documentation checks completed"
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Ensure scripts executable
run: |
chmod +x scripts/security/audit.sh || true
- name: Run template security audit
run: |
if [ -f scripts/security/audit.sh ]; then
./scripts/security/audit.sh
else
echo "No security audit script (ok)"
fi
# Job de release guard (cohérence release)
release-guard:
name: Release Guard
runs-on: ubuntu-latest
needs: [code-quality, unit-tests, documentation-tests]
needs: [code-quality, unit-tests, documentation-tests, security-audit]
steps:
- name: Checkout code
uses: actions/checkout@v3
@ -333,4 +350,3 @@ jobs:
run: |
echo "❌ Some tests failed!"
exit 1

7
AGENTS.md
View File

@ -1,3 +1,10 @@
# AGENTS
Ce dépôt peut être utilisé avec des agents automatisés (Cursor/4NK). Voir `.cursor/` et `.4nk-sync.yml`.
## Sécurité (vigilance)
- Exécuter laudit de sécurité automatisé: `scripts/security/audit.sh` (npm audit, cargo audit si applicable, scan de secrets).
- Interdiction stricte de secrets en clair; secrets gérés via la CI et variables denvironnement, rotation exigée.
- Vérifier permissions des fichiers sensibles et nonexposition dendpoints privés.
- La CI inclut un job `security-audit` et bloque les releases en cas déchec (intégré au `release-guard`).

1
VERSION Normal file
View File

@ -0,0 +1 @@
v0.1.1

6
docs/SECURITY_AUDIT.md Normal file
View File

@ -0,0 +1,6 @@
# Audit de Sécurité - sdk_signer
- CI: job `security-audit` (voir `.gitea/workflows/ci.yml`).
- Script: `scripts/security/audit.sh` (npm audit, cargo audit si applicable, scan de secrets).
- Bloquant: vulnérabilités élevées/critiques ou secrets détectés.
- En cas déchec, `release-guard` bloque push/tag.

35
scripts/security/audit.sh Normal file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env bash
set -euo pipefail
echo "[security-audit] démarrage"
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)"
cd "$ROOT_DIR"
rc=0
# 1) Audit npm (si package.json présent)
if [ -f package.json ]; then
echo "[security-audit] npm audit --audit-level=moderate"
if ! npm audit --audit-level=moderate; then rc=1; fi || true
else
echo "[security-audit] pas de package.json (ok)"
fi
# 2) Audit Rust (si Cargo.toml présent)
if command -v cargo >/dev/null 2>&1 && [ -f Cargo.toml ] || find . -maxdepth 2 -name Cargo.toml | grep -q . ; then
echo "[security-audit] cargo audit"
if ! cargo audit --deny warnings; then rc=1; fi || true
else
echo "[security-audit] pas de projet Rust (ok)"
fi
# 3) Recherche de secrets grossiers
echo "[security-audit] scan secrets"
if grep -RIE "(?i)(api[_-]?key|secret|password|private[_-]?key)" --exclude-dir .git --exclude-dir node_modules --exclude-dir target --exclude "*.md" . >/dev/null 2>&1; then
echo "[security-audit] secrets potentiels détectés"; rc=1
else
echo "[security-audit] aucun secret évident"
fi
echo "[security-audit] terminé rc=$rc"
exit $rc