sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: remove GitLab CI config and docs after full Gitea migration
Some checks failed
CI / ruff (push) Successful in 12s
Details
CI / validate (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details

Browse Source 
- Delete .gitlab-ci.yml (replaced by .gitea/workflows/ci.yml)
- Delete docs/deployment/gitlab.md (superseded by gitea.md)
- Update audit rules to reference .gitea/workflows/*.yml
- Update validate_audit.py to check Gitea CI paths
- Clean up GitLab references in gitea.md, mkdocs.yml, .dockerignore
- Mark IPv6 AAAA records as completed in hetzner docs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-15 19:28:35 +01:00
parent 5474fc5301
commit b382090771
13 changed files with 37 additions and 600 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.audit-rules/change_management.yaml
View File

@@ -55,7 +55,7 @@ rules:
type: file_exists
paths:
- ".github/PULL_REQUEST_TEMPLATE.md"
- ".gitlab/merge_request_templates/*.md"
- "CONTRIBUTING.md"
message: "Pull request template recommended"
- id: CHANGE-REV-002
@@ -74,7 +74,6 @@ rules:
type: file_exists
paths:
- ".github/CODEOWNERS"
- "CODEOWNERS" # GitLab uses root CODEOWNERS or .gitlab/CODEOWNERS
- "CODEOWNERS"
message: "Consider defining code owners for critical paths"
@@ -91,7 +90,7 @@ rules:
paths:
- ".github/workflows/ci.yml"
- ".github/workflows/test.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
message: "CI workflow for automated testing required"
- id: CHANGE-CI-002
@@ -102,7 +101,7 @@ rules:
type: pattern_recommended
paths:
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
patterns:
- "security|bandit|safety|snyk|trivy"
message: "Consider security scanning in CI pipeline"
@@ -115,7 +114,7 @@ rules:
type: pattern_required
paths:
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
patterns:
- "ruff|flake8|pylint|mypy|lint"
message: "Code quality checks required in CI"
@@ -146,7 +145,7 @@ rules:
paths:
- ".github/workflows/release.yml"
- ".github/workflows/deploy.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
- "Dockerfile"
message: "Automated deployment process recommended"
@@ -199,7 +198,7 @@ rules:
paths:
- "Dockerfile"
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
patterns:
- "tag|version|:v"
message: "Container image versioning recommended"

10
.audit-rules/compliance.yaml
View File

@@ -122,10 +122,9 @@ rules:
type: file_exists
paths:
- ".github/PULL_REQUEST_TEMPLATE.md"
- ".gitlab/merge_request_templates/*.md"
- "CONTRIBUTING.md"
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
message: "Code review process must be documented/enforced"
- id: COMP-POL-002
@@ -138,8 +137,7 @@ rules:
- ".github/CODEOWNERS"
- "CODEOWNERS"
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
message: "Document change approval requirements"
- id: COMP-POL-003
@@ -166,7 +164,7 @@ rules:
type: file_exists
paths:
- ".github/workflows/ci.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
- "pytest.ini"
- "pyproject.toml"
patterns:
@@ -181,7 +179,7 @@ rules:
type: file_exists
paths:
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
patterns:
- "deploy|release"
message: "Deployment process must be automated and logged"

2
.audit-rules/documentation.yaml
View File

@@ -94,7 +94,7 @@ rules:
paths:
- "SECURITY.md"
- ".github/SECURITY.md"
- ".gitlab/SECURITY.md"
- ".gitea/SECURITY.md"
message: "Security policy (SECURITY.md) required"
- id: DOC-SEC-002

6
.audit-rules/third_party.yaml
View File

@@ -57,7 +57,7 @@ rules:
type: file_exists
paths:
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
patterns:
- "safety|pip-audit|snyk|dependabot"
message: "Dependency vulnerability scanning required"
@@ -70,7 +70,7 @@ rules:
type: file_exists
paths:
- ".github/dependabot.yml"
- ".gitlab-ci.yml" # GitLab uses built-in dependency scanning
- ".gitea/workflows/*.yml"
message: "Consider enabling Dependabot for security updates"
- id: THIRD-VULN-003
@@ -81,7 +81,7 @@ rules:
type: pattern_recommended
paths:
- ".github/workflows/*.yml"
- ".gitlab-ci.yml"
- ".gitea/workflows/*.yml"
patterns:
- "trivy|grype|snyk.*container"
message: "Consider container image vulnerability scanning"

1
.dockerignore
View File

@@ -3,7 +3,6 @@
!.env.example
.git
.gitea
.gitlab-ci.yml
__pycache__
*.pyc
*.pyo

2
.gitea/workflows/ci.yml
View File

@@ -1,6 +1,6 @@
# Gitea Actions CI/CD Configuration
# ==================================
# Equivalent of the GitLab CI pipeline, using GitHub Actions-compatible syntax.
# Uses GitHub Actions-compatible syntax. Requires Gitea 1.19+ with Actions enabled.
# Requires Gitea 1.19+ with Actions enabled.
name: CI

130
.gitlab-ci.yml
View File

@@ -1,130 +0,0 @@
# GitLab CI/CD Configuration
# =========================
stages:
- lint
- test
- security
- build
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
PYTHON_VERSION: "3.11"
# Cache dependencies between jobs
cache:
paths:
- .cache/pip
- .venv/
# Lint Stage
# ----------
ruff:
stage: lint
image: python:${PYTHON_VERSION}
before_script:
- pip install uv
- uv sync --frozen
script:
- .venv/bin/ruff check .
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# Test Stage
# ----------
pytest:
stage: test
image: python:${PYTHON_VERSION}
services:
- name: postgres:15
alias: postgres
variables:
# PostgreSQL service configuration
POSTGRES_DB: orion_test
POSTGRES_USER: test_user
POSTGRES_PASSWORD: test_password
# Application database URL for tests
TEST_DATABASE_URL: "postgresql://test_user:test_password@postgres:5432/orion_test"
# Skip database validation during import (tests use TEST_DATABASE_URL)
DATABASE_URL: "postgresql://test_user:test_password@postgres:5432/orion_test"
before_script:
- pip install uv
- uv sync --frozen
# Wait for PostgreSQL to be ready
- apt-get update && apt-get install -y postgresql-client
- for i in $(seq 1 30); do pg_isready -h postgres -U test_user && break || sleep 1; done
script:
- .venv/bin/python -m pytest tests/ -v --tb=short
coverage: '/TOTAL.*\s+(\d+%)/'
artifacts:
reports:
junit: report.xml
coverage_report:
coverage_format: cobertura
path: coverage.xml
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
architecture:
stage: test
image: python:${PYTHON_VERSION}
variables:
# Set DATABASE_URL to satisfy validation (not actually used by validator)
DATABASE_URL: "postgresql://dummy:dummy@localhost:5432/dummy"
before_script:
- pip install uv
- uv sync --frozen
script:
- .venv/bin/python scripts/validate/validate_architecture.py
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# Security Stage
# --------------
dependency_scanning:
stage: security
image: python:${PYTHON_VERSION}
before_script:
- pip install pip-audit
script:
- pip-audit --requirement requirements.txt || true
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
audit:
stage: security
image: python:${PYTHON_VERSION}
before_script:
- pip install uv
- uv sync --frozen
script:
- .venv/bin/python scripts/validate/validate_audit.py
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# Build Stage
# -----------
docs:
stage: build
image: python:${PYTHON_VERSION}
before_script:
- pip install uv
- uv sync --frozen
script:
- .venv/bin/mkdocs build
artifacts:
paths:
- site/
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

34
docs/deployment/gitea.md
View File

@@ -1,6 +1,6 @@
# Gitea CI/CD Deployment Guide
This document describes how to **self-host Gitea** on an external server and migrate CI/CD from GitLab to **Gitea Actions** (GitHub Actions-compatible).
This document describes how to **self-host Gitea** on an external server with **Gitea Actions** CI/CD (GitHub Actions-compatible).
---
@@ -8,8 +8,8 @@ This document describes how to **self-host Gitea** on an external server and mig
- Lightweight, self-hosted Git forge (single binary or Docker image)
- Built-in CI/CD via **Gitea Actions** (GitHub Actions-compatible YAML)
- Built-in migration tool imports repos, issues, and PRs from GitLab
- Low resource usage compared to GitLab
- Built-in migration tool imports repos, issues, and PRs from other forges
- Low resource usage
---
@@ -176,22 +176,15 @@ git push gitea --tags
### Option B: Gitea built-in migration (code + issues + PRs)
1. In Gitea, click **+** > **New Migration**.
2. Select **GitLab** as the source.
3. Enter your GitLab URL and a Personal Access Token.
4. Gitea will import the repository, issues, labels, milestones, and merge requests.
2. Select the source forge (GitHub, GitLab, etc.).
3. Enter the source URL and a Personal Access Token.
4. Gitea will import the repository, issues, labels, milestones, and pull/merge requests.
---
## 6. CI/CD — GitLab vs Gitea Actions
## 6. CI/CD — Gitea Actions
The workflow file lives in `.gitea/workflows/ci.yml` (already created in this repository).
| GitLab CI (`.gitlab-ci.yml`) | Gitea Actions (`.gitea/workflows/ci.yml`) |
|------------------------------|-------------------------------------------|
| `stages:` + `stage:` per job | Jobs run in parallel; use `needs:` for ordering |
| `services:` (top-level on job) | `services:` nested under each job with `options:` |
| `allow_failure: true` | `continue-on-error: true` |
| `rules: - if:` | `on:` triggers + `if:` conditionals per job |
The workflow file lives in `.gitea/workflows/ci.yml` (already created in this repository). Gitea Actions uses GitHub Actions-compatible YAML syntax.
| `artifacts: paths:` | `actions/upload-artifact@v4` (not supported on Gitea GHES) |
| `cache: paths:` | `actions/cache@v4` |
| `coverage: '/regex/'` | Use coverage action or parse in step |
@@ -299,14 +292,3 @@ docker run --rm -v gitea-data:/data -v $(pwd):/backup alpine \
```
---
## 12. Removing GitLab (After Migration)
Once you have verified everything works on Gitea:
1. Update your local git remote:
```bash
git remote set-url origin ssh://git@git.yourdomain.com:2222/your-username/letzshop-product-import.git
```
2. The `.gitlab-ci.yml` file can be removed from the repository.
3. Archive or delete the GitLab project.

400
docs/deployment/gitlab.md
View File

@@ -1,400 +0,0 @@
# GitLab CI/CD Deployment Guide
This document describes how to deploy the Orion platform to a **DigitalOcean Droplet** using **bare-metal systemd + Nginx**, with automated deployments from **GitLab CI/CD**.
---
## Prerequisites
- DigitalOcean Droplet (Ubuntu 22.04+ recommended)
- Domain name pointing to your server
- GitLab repository with CI/CD enabled
- SSH key pair for deployment
---
## 1. Server Folder Structure
The application will be deployed to:
```
/var/www/orion/
├── app/ # FastAPI application
├── static/
│ ├── admin/
│ ├── store/
│ ├── shop/
│ └── shared/
├── templates/
├── alembic/ # Database migrations
├── .venv/ # Python virtual environment
├── .env # Environment variables (created manually)
└── pyproject.toml
```
---
## 2. Server Setup
### Create Deploy User (Recommended)
```bash
sudo adduser deploy --disabled-password
sudo usermod -aG sudo deploy
sudo mkdir -p /var/www/orion
sudo chown -R deploy:deploy /var/www/orion
```
### Install System Dependencies
```bash
sudo apt update
sudo apt install -y python3.11 python3.11-venv python3-pip \
build-essential libpq-dev nginx postgresql postgresql-contrib \
nodejs npm certbot python3-certbot-nginx
```
### Install uv (Python Package Manager)
```bash
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.bashrc
```
---
## 3. Database Setup (PostgreSQL)
```bash
# Create database and user
sudo -u postgres psql << EOF
CREATE USER orion WITH PASSWORD 'your_secure_password';
CREATE DATABASE orion OWNER orion;
GRANT ALL PRIVILEGES ON DATABASE orion TO orion;
EOF
```
---
## 4. systemd Service
Create `/etc/systemd/system/orion.service`:
```ini
[Unit]
Description=Orion FastAPI Application
After=network.target postgresql.service
[Service]
User=deploy
Group=deploy
WorkingDirectory=/var/www/orion
Environment="PATH=/var/www/orion/.venv/bin"
EnvironmentFile=/var/www/orion/.env
ExecStart=/var/www/orion/.venv/bin/uvicorn app.main:app --host 127.0.0.1 --port 8000 --workers 4
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
```
Enable the service:
```bash
sudo systemctl daemon-reload
sudo systemctl enable orion
```
---
## 5. Nginx Configuration
Create `/etc/nginx/sites-available/orion`:
```nginx
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
# Static files
location /static/ {
alias /var/www/orion/static/;
expires 30d;
add_header Cache-Control "public, immutable";
}
# Media/uploads
location /uploads/ {
alias /var/www/orion/uploads/;
expires 7d;
}
# Proxy to FastAPI
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
proxy_connect_timeout 300;
}
}
```
Enable the site:
```bash
sudo ln -s /etc/nginx/sites-available/orion /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default # Remove default site
sudo nginx -t
sudo systemctl restart nginx
```
---
## 6. HTTPS with Let's Encrypt
```bash
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
```
Certbot will automatically configure HTTPS and set up auto-renewal.
---
## 7. Firewall Configuration
```bash
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable
```
---
## 8. GitLab CI/CD Pipeline
Create `.gitlab-ci.yml` in your project root:
```yaml
stages:
- test
- build
- deploy
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
UV_CACHE_DIR: "$CI_PROJECT_DIR/.cache/uv"
# Test stage
test:
stage: test
image: python:3.11
before_script:
- pip install uv
- uv venv
- source .venv/bin/activate
- uv pip install -r requirements.txt
script:
- python -m pytest tests/ -v --tb=short
only:
- merge_requests
- main
# Build Tailwind CSS
build:
stage: build
image: node:20
script:
- npm install
- npx tailwindcss -i ./static/src/input.css -o ./static/dist/output.css --minify
artifacts:
paths:
- static/dist/
expire_in: 1 week
only:
- main
# Deploy to production
deploy:
stage: deploy
image: alpine:latest
before_script:
- apk add --no-cache openssh-client rsync
- mkdir -p ~/.ssh
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
- chmod 600 ~/.ssh/id_ed25519
- ssh-keyscan -H $SERVER_HOST >> ~/.ssh/known_hosts
script:
# Sync files to server (excluding sensitive files)
- rsync -avz --delete
--exclude='.git'
--exclude='.env'
--exclude='*.pyc'
--exclude='__pycache__'
--exclude='.pytest_cache'
--exclude='htmlcov'
--exclude='*.db'
./ $SERVER_USER@$SERVER_HOST:$SERVER_PATH/
# Install dependencies and run migrations
- ssh $SERVER_USER@$SERVER_HOST "
cd $SERVER_PATH &&
~/.cargo/bin/uv venv --python 3.11 &&
source .venv/bin/activate &&
~/.cargo/bin/uv pip install -r requirements.txt &&
python -m alembic upgrade head
"
# Restart the service
- ssh $SERVER_USER@$SERVER_HOST "sudo systemctl restart orion"
# Verify deployment
- ssh $SERVER_USER@$SERVER_HOST "sudo systemctl status orion --no-pager"
only:
- main
environment:
name: production
url: https://yourdomain.com
```
---
## 9. GitLab CI/CD Variables
Configure these in **Settings > CI/CD > Variables**:
| Variable | Description | Example |
|----------|-------------|---------|
| `SSH_PRIVATE_KEY` | Private key for server access | `-----BEGIN OPENSSH PRIVATE KEY-----...` |
| `SERVER_USER` | SSH user on server | `deploy` |
| `SERVER_HOST` | Server IP or hostname | `203.0.113.50` |
| `SERVER_PATH` | Application directory | `/var/www/orion` |
Mark `SSH_PRIVATE_KEY` as **Protected** and **Masked**.
---
## 10. Environment Variables
Create `/var/www/orion/.env` on the server:
```bash
# Application
APP_ENV=production
DEBUG=false
SECRET_KEY=your-super-secret-key-change-this
# Database
DATABASE_URL=postgresql://orion:password@localhost:5432/orion
# Stripe (if using billing)
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
# Email
SMTP_HOST=smtp.your-provider.com
SMTP_PORT=587
SMTP_USER=your-email@domain.com
SMTP_PASSWORD=your-smtp-password
EMAILS_FROM=noreply@yourdomain.com
# Letzshop Integration (if applicable)
LETZSHOP_API_URL=https://api.letzshop.lu
```
Secure the file:
```bash
chmod 600 /var/www/orion/.env
```
---
## 11. Deployment Flow
1. Developer pushes to `main` branch
2. GitLab runs tests
3. GitLab builds Tailwind CSS
4. GitLab syncs files to server via rsync
5. Server installs/updates Python dependencies
6. Alembic runs database migrations
7. systemd restarts the FastAPI service
8. Nginx serves the application over HTTPS
---
## 12. Maintenance Commands
```bash
# View application logs
sudo journalctl -u orion -f
# Restart application
sudo systemctl restart orion
# Check application status
sudo systemctl status orion
# Run migrations manually
cd /var/www/orion
source .venv/bin/activate
python -m alembic upgrade head
# Rollback migration
python -m alembic downgrade -1
```
---
## 13. Security Recommendations
- [ ] Use a non-root deploy user (as shown above)
- [ ] Enable fail2ban for SSH protection
- [ ] Configure PostgreSQL to only allow local connections
- [ ] Set up automated backups for the database
- [ ] Enable log rotation
- [ ] Consider using Docker for isolation
- [ ] Set up monitoring (e.g., Prometheus + Grafana)
- [ ] Configure rate limiting in Nginx
---
## 14. Troubleshooting
### Application won't start
```bash
# Check logs
sudo journalctl -u orion -n 100
# Verify environment file
cat /var/www/orion/.env
# Test manually
cd /var/www/orion
source .venv/bin/activate
uvicorn app.main:app --host 127.0.0.1 --port 8000
```
### Database connection issues
```bash
# Test PostgreSQL connection
psql -U orion -h localhost -d orion
# Check PostgreSQL status
sudo systemctl status postgresql
```
### Nginx errors
```bash
# Test configuration
sudo nginx -t
# Check error logs
sudo tail -f /var/log/nginx/error.log
```

4
docs/deployment/hetzner-server-setup.md
View File

@@ -459,9 +459,9 @@ Before setting up Caddy, point your domain's DNS to the server.
| AAAA | `@` | `2a01:4f8:1c1a:b39c::1` | 300 |
| AAAA | `www` | `2a01:4f8:1c1a:b39c::1` | 300 |
### IPv6 (AAAA) Records — TODO
### IPv6 (AAAA) Records — Completed
Optional but recommended. Add AAAA records for all domains above, pointing to the server's IPv6 address. Verify your IPv6 address first:
AAAA records are included in the DNS tables above for all domains. To verify your IPv6 address:
```bash
ip -6 addr show eth0 | grep 'scope global'

2
docs/development/code-quality-dashboard-implementation.md
View File

@@ -637,7 +637,7 @@ if args.json:
- Consider adding background job support (Celery/RQ) for long-running scans
- Add email notifications when violations assigned
- Consider GitHub/GitLab integration (comment on PRs)
- Consider Gitea/GitHub integration (comment on PRs)
- Add historical comparison (violations introduced vs fixed)
- Consider rule suggestions based on common violations

1
mkdocs.yml
View File

@@ -212,7 +212,6 @@ nav:
- Traditional VPS: deployment/production.md
- Docker: deployment/docker.md
- CloudFlare Setup: deployment/cloudflare.md
- GitLab CI/CD: deployment/gitlab.md
- Gitea CI/CD: deployment/gitea.md
- Hetzner Server Setup: deployment/hetzner-server-setup.md
- Environment Variables: deployment/environment.md

32
scripts/validate/validate_audit.py
View File

@@ -264,27 +264,23 @@ class AuditValidator(BaseValidator):
str(self.project_root),
)
# Check CI/CD exists (GitHub or GitLab)
# Check CI/CD exists (Gitea or GitHub)
gitea_ci = self.project_root / ".gitea" / "workflows" / "ci.yml"
github_ci = self.project_root / ".github" / "workflows" / "ci.yml"
gitlab_ci = self.project_root / ".gitlab-ci.yml"
if not github_ci.exists() and not gitlab_ci.exists():
if not gitea_ci.exists() and not github_ci.exists():
self.add_warning(
"COMP-EVID-001",
"CI workflow for automated testing recommended",
".gitlab-ci.yml or .github/workflows/ci.yml",
".gitea/workflows/ci.yml or .github/workflows/ci.yml",
)
# Check code review process (GitHub or GitLab)
# Check code review process
github_pr_template = self.project_root / ".github" / "PULL_REQUEST_TEMPLATE.md"
gitlab_mr_templates = self.project_root / ".gitlab" / "merge_request_templates"
has_mr_template = github_pr_template.exists() or (
gitlab_mr_templates.exists() and any(gitlab_mr_templates.iterdir())
)
if not has_mr_template:
if not github_pr_template.exists():
self.add_warning(
"COMP-POL-001",
"Merge request template recommended for code review",
".gitlab/merge_request_templates/ or .github/PULL_REQUEST_TEMPLATE.md",
"Pull request template recommended for code review",
".github/PULL_REQUEST_TEMPLATE.md",
)
# ==================
@@ -371,19 +367,13 @@ class AuditValidator(BaseValidator):
"pyproject.toml",
)
# Check for dependency scanning (GitHub Dependabot or GitLab)
# Check for dependency scanning
dependabot = self.project_root / ".github" / "dependabot.yml"
gitlab_ci = self.project_root / ".gitlab-ci.yml"
has_dep_scanning = dependabot.exists()
if not has_dep_scanning and gitlab_ci.exists():
# Check if GitLab CI includes dependency scanning
ci_content = gitlab_ci.read_text()
has_dep_scanning = "dependency_scanning" in ci_content.lower()
if not has_dep_scanning:
if not dependabot.exists():
self.add_info(
"THIRD-VULN-002",
"Consider enabling dependency scanning for security updates",
".gitlab-ci.yml (include dependency_scanning) or .github/dependabot.yml",
".github/dependabot.yml",
)
# Check for insecure package sources