Skip to content

Add minimatch rAdd GitLeaks + SAST (njsscan & Semgrep) to CI, plus security study notesesolution and update CI to ignore engines on yarn install

lobrerorequested to merge
feature/add-gitleaks-ci into main

Summary

This MR strengthens our pipeline security by:

  • Enforcing GitLeaks secrets scanning in CI. -Adding SAST scanners for JavaScript: njsscan and Semgrep.
  • Documenting how to handle false positives, secrets management, GitLab variables, and SAST basics in Study Notes.

All new security jobs are currently allow_failure: true to surface findings without blocking delivery while the team tunes rules and triage workflow.

Changes

  • .gitlab-ci.yml

    • Add/iterate GitLeaks job and artifacts (JSON/SARIF).
    • Add njsscan job (--exit-warning) and Semgrep job (p/javascript ruleset).

  • docs/STUDY_NOTES.md

    • Add sections on false positives/negatives, least-privilege access, environment variables (incl. protected variables only on protected branches/tags), secrets across the pipeline, and SAST overview.
    • Add YAML examples for njsscan and Semgrep with plain-English explanations.

  • README.md

    • References to security scanning and how to run locally (GitLeaks).

Merge request reports