chore: add pre-commit, CI checks, and trivy scanning

dialupdisaster · dialupdisaster · commit 9928e9772c66 · 2026-02-25T20:13:55.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  rust-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Format check
+        run: cargo fmt --all -- --check
+
+      - name: Tests
+        run: cargo test --all-targets
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,31 @@
+name: Trivy Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "21 4 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,misconfig,secret
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          exit-code: "1"
+          format: table
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,38 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-merge-conflict
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.24.2
+    hooks:
+      - id: gitleaks
+        args: ["protect", "--staged", "--verbose"]
+
+  - repo: local
+    hooks:
+      - id: cargo-fmt-check
+        name: cargo fmt --check
+        entry: cargo fmt --all -- --check
+        language: system
+        pass_filenames: false
+        types_or: [rust]
+
+      - id: cargo-test
+        name: cargo test
+        entry: cargo test -q
+        language: system
+        pass_filenames: false
+        stages: [pre-push]
+
+      - id: trivy-fs-high-critical
+        name: trivy fs (HIGH/CRITICAL)
+        entry: trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --exit-code 1 --no-progress .
+        language: system
+        pass_filenames: false
+        stages: [pre-push]
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -9,6 +9,9 @@ Thanks for contributing.
 - Rust stable toolchain
 - Git
 - `bd` (beads) for issue tracking
+- `pre-commit`
+- `gitleaks`
+- `trivy`
 
 ## Getting Started
 
@@ -70,13 +73,29 @@ cargo test
 
 - If behavior changes, update docs in the same PR (`README.md`, `AGENTS.md`, this file, or `SECURITY.md` when relevant).
 
-## Secret Scanning
+## Pre-commit Hooks
 
-- CI runs `gitleaks` on pushes and pull requests.
-- Before opening a PR, run a local scan if `gitleaks` is installed:
+Install and enable hooks:
+
+```bash
+pre-commit install
+pre-commit install --hook-type pre-push
+```
+
+Run all hooks manually:
+
+```bash
+pre-commit run --all-files
+```
+
+## Security Scanning
+
+- CI runs `gitleaks` and `trivy` on pushes and pull requests.
+- Before opening a PR, run local scans:
 
 ```bash
 gitleaks git --no-banner
+trivy fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --exit-code 1 --no-progress .
 ```
 
 ## Commit Guidelines
