From 81a65840102705a7effc77d4b6c9c4a95d086794 Mon Sep 17 00:00:00 2001 From: Nicolas Cantu Date: Wed, 27 Aug 2025 14:01:28 +0200 Subject: [PATCH] =?UTF-8?q?chore(release):=20latest=200.1.1=20+=20s=C3=A9c?= =?UTF-8?q?urit=C3=A9/CI/docs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/ci.yml | 20 ++++++++++++++++++-- AGENTS.md | 7 +++++++ VERSION | 1 + docs/SECURITY_AUDIT.md | 6 ++++++ scripts/security/audit.sh | 35 +++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 VERSION create mode 100644 docs/SECURITY_AUDIT.md create mode 100644 scripts/security/audit.sh diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index d6a96f6..c24f0b7 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -258,11 +258,28 @@ jobs: run: | echo "Documentation checks completed" + security-audit: + name: Security Audit + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Ensure scripts executable + run: | + chmod +x scripts/security/audit.sh || true + - name: Run template security audit + run: | + if [ -f scripts/security/audit.sh ]; then + ./scripts/security/audit.sh + else + echo "No security audit script (ok)" + fi + # Job de release guard (cohérence release) release-guard: name: Release Guard runs-on: ubuntu-latest - needs: [code-quality, unit-tests, documentation-tests] + needs: [code-quality, unit-tests, documentation-tests, security-audit] steps: - name: Checkout code uses: actions/checkout@v3 @@ -333,4 +350,3 @@ jobs: run: | echo "❌ Some tests failed!" exit 1 - diff --git a/AGENTS.md b/AGENTS.md index d46acb7..4af6e2e 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,3 +1,10 @@ # AGENTS Ce dépôt peut être utilisé avec des agents automatisés (Cursor/4NK). Voir `.cursor/` et `.4nk-sync.yml`. + +## Sécurité (vigilance) + +- Exécuter l’audit de sécurité automatisé: `scripts/security/audit.sh` (npm audit, cargo audit si applicable, scan de secrets). +- Interdiction stricte de secrets en clair; secrets gérés via la CI et variables d’environnement, rotation exigée. +- Vérifier permissions des fichiers sensibles et non‑exposition d’endpoints privés. +- La CI inclut un job `security-audit` et bloque les releases en cas d’échec (intégré au `release-guard`). diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..8308b63 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +v0.1.1 diff --git a/docs/SECURITY_AUDIT.md b/docs/SECURITY_AUDIT.md new file mode 100644 index 0000000..89cea3e --- /dev/null +++ b/docs/SECURITY_AUDIT.md @@ -0,0 +1,6 @@ +# Audit de Sécurité - sdk_signer + +- CI: job `security-audit` (voir `.gitea/workflows/ci.yml`). +- Script: `scripts/security/audit.sh` (npm audit, cargo audit si applicable, scan de secrets). +- Bloquant: vulnérabilités élevées/critiques ou secrets détectés. +- En cas d’échec, `release-guard` bloque push/tag. diff --git a/scripts/security/audit.sh b/scripts/security/audit.sh new file mode 100644 index 0000000..bb72e6b --- /dev/null +++ b/scripts/security/audit.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +set -euo pipefail + +echo "[security-audit] démarrage" +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)" +cd "$ROOT_DIR" + +rc=0 + +# 1) Audit npm (si package.json présent) +if [ -f package.json ]; then + echo "[security-audit] npm audit --audit-level=moderate" + if ! npm audit --audit-level=moderate; then rc=1; fi || true +else + echo "[security-audit] pas de package.json (ok)" +fi + +# 2) Audit Rust (si Cargo.toml présent) +if command -v cargo >/dev/null 2>&1 && [ -f Cargo.toml ] || find . -maxdepth 2 -name Cargo.toml | grep -q . ; then + echo "[security-audit] cargo audit" + if ! cargo audit --deny warnings; then rc=1; fi || true +else + echo "[security-audit] pas de projet Rust (ok)" +fi + +# 3) Recherche de secrets grossiers +echo "[security-audit] scan secrets" +if grep -RIE "(?i)(api[_-]?key|secret|password|private[_-]?key)" --exclude-dir .git --exclude-dir node_modules --exclude-dir target --exclude "*.md" . >/dev/null 2>&1; then + echo "[security-audit] secrets potentiels détectés"; rc=1 +else + echo "[security-audit] aucun secret évident" +fi + +echo "[security-audit] terminé rc=$rc" +exit $rc