Reorganize code analysis workflow to run gitleaks scan before installing dependencies, ensuring more accurate results and maintaining a cleaner environment for subsequent analysis steps.

2025-12-20 15:45:02 +01:00
parent 60257edde3
commit e55ca48de8
1 changed files with 25 additions and 26 deletions
--- a/.gitea/workflows/code-analysis.yml
+++ b/.gitea/workflows/code-analysis.yml
@@ -17,30 +17,6 @@ jobs:
          node -v
          npm -v

-      - name: Install dependencies
-        run: npm ci
-
-      - name: Lint
-        run: npm run lint
-
-      - name: Unit tests
-        run: npm test
-
-      - name: Build
-        run: npm run build --if-present
-
-      - name: Semgrep (SAST)
-        run: semgrep --config p/default --error .
-
-      - name: npm audit (high+)
-        run: npm audit --audit-level=high || true
-
-      - name: OSV-Scanner (SCA)
-        run: |
-          curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
-          chmod +x osv-scanner
-          ./osv-scanner --lockfile package-lock.json
-
      - name: gitleaks (Secrets Scanning)
        run: |
          # Try to get the latest release asset URL
@@ -69,7 +45,30 @@ jobs:
            exit 1
          fi
          chmod +x gitleaks
-          # Remove build artifacts and node_modules before scanning
-          rm -rf .next .output .nuxt node_modules 2>/dev/null || true
+          # Run gitleaks scan BEFORE installing dependencies to avoid false positives from node_modules
          ./gitleaks detect --source . --no-git --verbose --exit-code 1
          rm -f gitleaks.tar.gz
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Unit tests
+        run: npm test
+
+      - name: Build
+        run: npm run build --if-present
+
+      - name: Semgrep (SAST)
+        run: semgrep --config p/default --error .
+
+      - name: npm audit (high+)
+        run: npm audit --audit-level=high || true
+
+      - name: OSV-Scanner (SCA)
+        run: |
+          curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
+          chmod +x osv-scanner
+          ./osv-scanner --lockfile package-lock.json