ci(secu): update analyses (#18)

Author: sc979

.githooks/pre-commit

@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+set -eu
+
+# ensure gitleaks is available
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "Error: gitleaks is not installed or not in PATH." >&2
+  echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
+  exit 1
+fi
+
+# scan for secrets before commit
+gitleaks detect --no-git --verbose

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+*                           @centreon/owners-react @centreon/owners-php
+
+.github/**                  @centreon/owners-pipelines
+
+.gitleaks.toml              @centreon/owners-security
+.gitleaksignore             @centreon/owners-security
+**/secu-*.yml               @centreon/owners-security

.github/dependabot.yml

@@ -0,0 +1,38 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 50
+    labels:
+      - 'dependencies'
+      - 'gha'
+
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 0
+    labels:
+      - 'dependencies'
+      - 'javascript'
+    allow:
+      - dependency-type: "direct"
+      - dependency-type: "production"
+    ignore:
+      - dependency-name: '*'
+
+  - package-ecosystem: composer
+    directory: '/'
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 0
+    labels:
+      - 'dependencies'
+      - 'php'
+    allow:
+      - dependency-type: "direct"
+      - dependency-type: "production"
+    ignore:
+      - dependency-name: '*'

.github/workflows/actionlint.yml

@@ -0,0 +1,28 @@
+name: actionlint
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+      - main
+      - develop
+    paths:
+      - ".github/**"
+
+jobs:
+  action-lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Ensure SHA pinned actions
+        uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3
+        with:
+          allowlist: |
+            centreon/security-tools

.github/workflows/secu-code-scan.yml

@@ -0,0 +1,34 @@
+name: code-scan
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    branches:
+      - master
+      - main
+      - develop
+  push:
+    branches:
+      - master
+      - main
+      - develop
+  workflow_dispatch:
+  schedule:
+    - cron: 0 1 * * 1-5
+
+jobs:
+
+  code-scan:
+    uses: centreon/security-tools/.github/workflows/checkmarx-analysis.yml@main
+    with:
+      module_directory:
+      module_name: centreon-dummy
+      exclude_list:
+    secrets:
+      base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
+      cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
+      cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
+      cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}

.github/workflows/secu-dependency-scan.yml

@@ -0,0 +1,12 @@
+name: dependency-scan
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  dependency-scan:
+    uses: centreon/security-tools/.github/workflows/dependency-analysis.yml@main

.github/workflows/secu-secret-scan.yml

@@ -0,0 +1,12 @@
+name: secrets-scan
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  secrets-scan:
+    uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main

.gitleaks.toml

@@ -0,0 +1,22 @@
+title = "Gitleaks custom rules"
+
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+  '''node_modules\/''',
+  '''vendor\/''',
+  '''(.*?)\.rptlibrary''',
+  '''package\.json''',
+  '''package-lock\.json''',
+  '''composer\.json''',
+  '''composer\.lock''',
+  '''\.gitleaks\.toml$''',
+  '''(.*?)(jpg|gif|doc|pdf|bin)$'''
+]
+
+regexTarget = "match"
+regexes = [
+  '''ABCDEFG1234567890'''
+]