From 943bfdbdb240ae0fb9fbedaf3fd7b2aa6d399b27 Mon Sep 17 00:00:00 2001
From: Romain <romain.hunault@murena.com>
Date: Tue, 21 Apr 2026 18:08:22 +0200
Subject: [PATCH 1/4] ci(security): add semgrep ce scan job

---
 .gitlab-ci.yml | 19 +++++++++++++++++--
 README.md      |  8 ++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5c377ddb5..6a2a6631c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -87,7 +87,7 @@ build-release:
     paths:
       - app/build/outputs/apk/release
 
-analysis:
+code-quality:
   stage: code-quality
   <<: *build_rules
   needs:
@@ -99,7 +99,7 @@ analysis:
       - app/build/reports/
       - build/reports/
 
-tests:
+unit-tests:
   stage: code-quality
   <<: *build_rules
   needs:
@@ -117,6 +117,21 @@ tests:
         coverage_format: jacoco
         path: app/build/reports/jacoco/jacocoReleaseReport/jacocoReleaseReport.xml
 
+code-security:
+  image: semgrep/semgrep:latest
+  stage: code-quality
+  <<: *build_rules
+  needs: []
+  script:
+    - semgrep scan --config=auto --error --json-output semgrep-report.json --junit-xml-output semgrep-junit.xml .
+  artifacts:
+    when: always
+    reports:
+      junit: semgrep-junit.xml
+    paths:
+      - semgrep-report.json
+      - semgrep-junit.xml
+
 generate-apks:
   stage: build
   <<: *rules_publish
diff --git a/README.md b/README.md
index 8c1115741..2c8587d73 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,11 @@
+[![build-release](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=build-release&key_text=Build%20Release&key_width=120)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=build-release&kind=BUILD)
+[![code-quality](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=code-quality&key_text=Code%20Quality&key_width=120)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=code-quality&kind=BUILD)
+[![unit-tests](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=unit-tests&key_text=Unit%20Tests&key_width=120)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=unit-tests&kind=BUILD)
+[![code-security](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=code-security&key_text=Code%20Security&key_width=120)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=code-security&kind=BUILD)
+[![secret-scan](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=secret-scan&key_text=Secret%20Scan&key_width=120)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=secret-scan&kind=BUILD)
+[![high-critical-scan](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=high-critical-scan&key_text=High%2FCritical&key_width=120)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=high-critical-scan&kind=BUILD)
+[![dependency-vuln-scan](https://gitlab.e.foundation/e/os/apps/badges/000-os-security-ci-tools/pipeline.svg?job=dependency-vuln-scan&key_text=Dependency%20Vuln&key_width=130)](https://gitlab.e.foundation/e/os/apps/-/jobs?name=dependency-vuln-scan&kind=BUILD)
+
 # App Lounge
 
 App Lounge is an open-source application that allows you to install Android apps on your device quickly and easily. It is licensed and distributed under [The GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.en.html).
-- 
GitLab


From d96797f9b330512b5c194bd5ffb6acee6723a9ea Mon Sep 17 00:00:00 2001
From: Romain <romain.hunault@murena.com>
Date: Tue, 21 Apr 2026 18:10:11 +0200
Subject: [PATCH 2/4] ci(security): add gitleaks scan job

---
 .gitlab-ci.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6a2a6631c..473124ce1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -132,6 +132,22 @@ code-security:
       - semgrep-report.json
       - semgrep-junit.xml
 
+secret-scan:
+  image:
+    name: zricethezav/gitleaks:latest
+    entrypoint: [""]
+  stage: code-quality
+  <<: *build_rules
+  needs: []
+  script:
+    - gitleaks detect --source . --no-git --redact --exit-code 1 --report-format junit --report-path gitleaks-junit.xml
+  artifacts:
+    when: always
+    reports:
+      junit: gitleaks-junit.xml
+    paths:
+      - gitleaks-junit.xml
+
 generate-apks:
   stage: build
   <<: *rules_publish
-- 
GitLab


From 6aa94810bf00eea3a9ddc5956a55ec48025afb0f Mon Sep 17 00:00:00 2001
From: Romain <romain.hunault@murena.com>
Date: Tue, 21 Apr 2026 18:13:58 +0200
Subject: [PATCH 3/4] ci(security): add trivy fs scan job

---
 .gitlab-ci.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 473124ce1..fd7963943 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -148,6 +148,24 @@ secret-scan:
     paths:
       - gitleaks-junit.xml
 
+high-critical-scan:
+  image:
+    name: aquasec/trivy:latest
+    entrypoint: [""]
+  stage: code-quality
+  <<: *build_rules
+  needs: []
+  variables:
+    TRIVY_CACHE_DIR: ".trivycache/"
+  script:
+    - trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --format template --template "@/contrib/junit.tpl" --output trivy-fs-junit.xml .
+  artifacts:
+    when: always
+    reports:
+      junit: trivy-fs-junit.xml
+    paths:
+      - trivy-fs-junit.xml
+
 generate-apks:
   stage: build
   <<: *rules_publish
-- 
GitLab


From e877fefb308a51a84166c3984f5312a9e6106d4e Mon Sep 17 00:00:00 2001
From: Romain <romain.hunault@murena.com>
Date: Tue, 21 Apr 2026 18:14:18 +0200
Subject: [PATCH 4/4] ci(security): add dependency-check scan job

---
 .gitlab-ci.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index fd7963943..62304fc8b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -166,6 +166,30 @@ high-critical-scan:
     paths:
       - trivy-fs-junit.xml
 
+dependency-vuln-scan:
+  image: owasp/dependency-check:latest
+  stage: code-quality
+  <<: *build_rules
+  needs: []
+  variables:
+    DEPENDENCY_CHECK_DATA: ".dependency-check-data"
+  script:
+    - mkdir -p dependency-check-report
+    - |
+      if [ -n "$NVD_API_KEY" ]; then
+        dependency-check.sh --scan . --project "$CI_PROJECT_PATH_SLUG" --data "$DEPENDENCY_CHECK_DATA" --format "JSON" --format "HTML" --format "JUNIT" --out dependency-check-report --nvdApiKey "$NVD_API_KEY" --failOnCVSS 7 --junitFailOnCVSS 7
+      else
+        dependency-check.sh --scan . --project "$CI_PROJECT_PATH_SLUG" --data "$DEPENDENCY_CHECK_DATA" --format "JSON" --format "HTML" --format "JUNIT" --out dependency-check-report --failOnCVSS 7 --junitFailOnCVSS 7
+      fi
+  artifacts:
+    when: always
+    reports:
+      junit:
+        - dependency-check-report/*junit*.xml
+        - dependency-check-report/*JUNIT*.xml
+    paths:
+      - dependency-check-report/
+
 generate-apks:
   stage: build
   <<: *rules_publish
-- 
GitLab