Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Draft: ci(security): add baseline security scans for App Lounge

Romain Hunaultrequested to merge
000-os-security-ci-tools into main

Summary

This merge request introduces a first security CI baseline for the App Lounge Android project.

It adds four dedicated security jobs in .gitlab-ci.yml, with one commit per tool:

  • semgrep-ce: SAST scan with Semgrep Community Edition.
  • gitleaks: secret detection in the repository.
  • trivy-fs: filesystem/dependency and misconfiguration scan (High/Critical gate).
  • dependency-check: OWASP Dependency-Check scan (fail on CVSS >= 7), with optional NVD_API_KEY support.

It also updates README.md to display CI badges for these four jobs under a new Security CI Status section.

Scope

  • Project: e/os/apps (App Lounge module)
  • Branch: 000-os-security-ci-tools
  • Target: main

Notes

  • This MR intentionally excludes MobSF for now.
  • These checks run in code-quality stage and follow existing .build_rules behavior for MR/default branch/tag pipelines.
  • Reports are stored as job artifacts:
    • semgrep-report.json
    • gitleaks-report.json
    • trivy-fs-report.json
    • dependency-check-report/

Follow-up

After this baseline is stable, we can add:

  • SARIF/GitLab-native security report integration where relevant.
  • Caching tuning for Trivy and Dependency-Check data to reduce runtime.
  • Optional SpotBugs/FindSecBugs for additional JVM-focused security rules.

Merge request reports