KeiSeiKit-1.0/_blocks/ci-security-gate.md

CI — Security gate (secrets, SCA, SBOM, semgrep, licenses)

Every PR passes through this gate before merge. Every scheduled run re-scans main. Pair with ci-github-actions.md / ci-forgejo-actions.md (the shell) and RULE 0.8 (secrets SSoT) / () — the gate enforces both.

Scanner set (one job each, matrix is fine)

Concern	Tool	Trigger	Fail threshold
Leaked secrets	gitleaks [VERIFIED: https://github.com/gitleaks/gitleaks]	PR + push	any finding
Rust SCA	cargo-audit [VERIFIED: https://github.com/rustsec/rustsec]	PR + cron daily	any Vulnerability
Node SCA	npm audit / pnpm audit (native)	PR + cron	high and above
Python SCA	pip-audit [VERIFIED: https://github.com/pypa/pip-audit]	PR + cron	any CVE
SBOM generation	syft [VERIFIED: https://github.com/anchore/syft]	release only	CycloneDX JSON as artefact
SAST / patterns	semgrep [VERIFIED: https://github.com/semgrep/semgrep]	PR	any ERROR severity
License policy	cargo-deny [VERIFIED: https://github.com/EmbarkStudios/cargo-deny] (Rust) / license-checker (JS)	PR	disallowed SPDX ID

gitleaks — secrets scan (always first)

Runs before any build step so that a detected secret aborts the job without ever shipping a binary that used it.

- uses: gitleaks/gitleaks-action@v2          # [VERIFIED: https://github.com/gitleaks/gitleaks-action]
  env:
    GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}   # orgs only; free for ≤25 users

Custom rules in .gitleaks.toml at repo root — mirror the patterns from ~/.claude/rules/secrets-single-source.md (sk-, ghp_, sk-ant-, Telegram bot, AWS access key, etc.). Any hit FAILS the run. No "informational" severity for secrets.

cargo-audit / pip-audit / npm audit

Daily cron to catch CVEs published after merge. Fail-fast on HIGH/CRITICAL; report MEDIUM to a tracking issue rather than blocking the PR.

- run: cargo audit --deny warnings --deny unmaintained --deny yanked

Pin the advisory-DB commit in vendored copies; upstream can get taken down.

SBOM via syft

Generate CycloneDX JSON for every published artefact. Attach to the GitHub Release (see ci-release-automation.md) and to the container image as an OCI annotation.

- uses: anchore/sbom-action@v0               # [VERIFIED: https://github.com/anchore/sbom-action]
  with:
    format: cyclonedx-json
    artifact-name: sbom.cdx.json

SLSA provenance (slsa-framework/slsa-github-generator) is an optional upgrade; required when shipping to any customer under a supply-chain contract.

semgrep — SAST

p/default + p/secrets + p/owasp-top-ten + any language pack relevant to the repo. Custom rules under .semgrep/*.yaml for project-specific patterns (e.g. "no unwrap() in request handlers").

- uses: semgrep/semgrep-action@v1            # [VERIFIED: https://github.com/semgrep/semgrep-action]
  env:
    SEMGREP_RULES: p/default p/secrets p/owasp-top-ten

License policy

cargo-deny deny.toml declares allowed SPDX identifiers (MIT, Apache-2.0, BSD-3-Clause, ISC, Unicode-DFS-2016). Anything else FAILS the PR. GPL / AGPL / SSPL in a commercial repo = hard stop. For JS, license-checker --failOn 'GPL;AGPL;SSPL'.

Scheduling

on:
  pull_request:
  push: { branches: [main] }
  schedule:
    - cron: "17 3 * * *"      # daily 03:17 UTC — off-hour, avoids global burst

Forbidden

• Running the security gate AFTER build/test (secret must block before the secret-using binary exists)
• Allowing "informational" severity on secrets scans (gitleaks = binary; 0 or 1)
• Skipping cargo-audit / pip-audit on release workflows (a CVE published yesterday ships today without it)
• Uploading SBOM to a public artefact store from a RULE-0.1 repo (internal artefact store only)
• Copy-pasting a secret detected by gitleaks into the chat to "discuss" — rotate at provider FIRST, then discuss