ci(secu): backport new pipeline and gitleaks changes (#5754)

.githooks/pre-commit

@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+set -eu
+
+# ensure gitleaks is available
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "Error: gitleaks is not installed or not in PATH." >&2
+  echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
+  exit 1
+fi
+
+# scan for secrets before commit
+gitleaks detect --no-git --verbose

.github/CODEOWNERS

@@ -24,4 +24,4 @@ selinux/**                          @centreon/owners-pipelines
 
 .gitleaks.toml                      @centreon/owners-security
 .gitleaksignore                     @centreon/owners-security
-**/checkmarx-analysis.yml           @centreon/owners-security
+**/security-checks.yml              @centreon/owners-security

.github/workflows/actionlint.yml

@@ -19,18 +19,18 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Download actionlint
         id: get_actionlint
-        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/v1.7.7/scripts/download-actionlint.bash)
         shell: bash
 
       - name: Check workflow files
         run: |
           ${{ steps.get_actionlint.outputs.executable }} \
-          -ignore 'label "centreon-common" is unknown' \
-          -ignore 'label "centreon-collect-arm64" is unknown' \
+          -ignore 'label "centreon-(common|collect-arm64)" is unknown' \
+          -ignore 'label "ubuntu-(24.04|24.04-arm)" is unknown' \
           -ignore '"github.head_ref" is potentially untrusted' \
           -shellcheck= \
           -pyflakes= \
@@ -39,12 +39,15 @@ jobs:
 
       - name: Ensure SHA pinned actions
         uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3
+        with:
+          allowlist: |
+            centreon/security-tools
 
   yaml-lint:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Yaml
         run: |

.github/workflows/checkmarx-analysis.yml

@@ -1,68 +0,0 @@
-name: Checkmarx scans
-
-on:
-  workflow_call:
-    inputs:
-      module_name:
-        required: true
-        type: string
-      module_directory:
-        required: false
-        type: string
-
-    secrets:
-      base_uri:
-        required: true
-      cx_tenant:
-        required: true
-      cx_client_id:
-        required: true
-      cx_client_secret:
-        required: true
-
-jobs:
-  pipeline-scan:
-    name: Run a pipeline scan
-    runs-on: ubuntu-24.04
-
-    steps:
-      - name: routing
-        run: |
-          # Quality gate settings
-          ENABLE_QG="true"
-          if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "yes" ]]; then
-            # disabling all QG in case of incident with the service
-            ENABLE_QG="false"
-            echo "Skipping analysis. Caused by QG override"
-          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then
-            # disabling the QG in case of pull request opened by dependabot bot
-            # As dependabot will not be able to access GH secrets
-            ENABLE_QG="false"
-            echo "Skipping analysis. Caused by dependabot PR"
-          fi
-
-          # Check forced full scan
-          SCAN_MODE="--sast-incremental"
-          if [[ "${{ github.event_name }}" == "schedule" || "${{ vars.CHECKMARX_FORCE_FULL_SCAN }}" == "yes" ]]; then
-            SCAN_MODE="--sast-incremental=false"
-          fi
-
-          echo "scan_mode=$SCAN_MODE" >> $GITHUB_ENV
-          echo "enable_analysis=$ENABLE_QG" >> $GITHUB_ENV
-          cat $GITHUB_ENV
-
-      - name: Checkout
-        if: env.enable_analysis  == 'true'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Checkmarx One CLI Action
-        if: env.enable_analysis  == 'true'
-        uses: checkmarx/ast-github-action@44adb082541fa1f47bcfca6de1517ff28990d813 # v2.3.22
-        with:
-          project_name: ${{ inputs.module_name }}
-          base_uri: ${{ secrets.base_uri }}
-          cx_tenant: ${{ secrets.cx_tenant }}
-          cx_client_id: ${{ secrets.cx_client_id }}
-          cx_client_secret: ${{ secrets.cx_client_secret }}
-          source_dir: "./"
-          additional_params: --scan-types "sast,sca,api-security" ${{ env.scan_mode }}

.github/workflows/gitleaks.yml

@@ -1,26 +0,0 @@
-name: gitleaks
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  scan:
-    name: gitleaks
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_LICENSE: Centreon
-          GITLEAKS_ENABLE_COMMENTS: false
-          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
-          GITLEAKS_ENABLE_SUMMARY: false

.github/workflows/security-checks.yml

@@ -1,13 +1,10 @@
-name: plugins-analysis
+name: security-checks
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 on:
-  workflow_dispatch:
-  schedule:
-    - cron: '30 0 * * 1-5'
   pull_request:
     branches:
       - develop
@@ -16,26 +13,22 @@ on:
     branches:
       - develop
       - master
+  workflow_dispatch:
+  schedule:
+    - cron: 0 1 * * 1-5
 
 jobs:
-  get-environment:
-    uses: ./.github/workflows/get-environment.yml
+  secrets_scan:
+    uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main
 
-  checkmarx-analysis:
-    needs: [get-environment]
-    if: |
-      needs.get-environment.outputs.skip_workflow == 'false' &&
-      github.event.pull_request.draft != 'true'
-    uses: ./.github/workflows/checkmarx-analysis.yml
+  code_scan:
+    uses: centreon/security-tools/.github/workflows/checkmarx-analysis.yml@main
     with:
+      module_directory:
       module_name: centreon-plugins
+      exclude_list:
     secrets:
       base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
       cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
       cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
       cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
-
-  set-skip-label:
-    needs: [get-environment, checkmarx-analysis]
-    if: needs.get-environment.outputs.skip_workflow == 'false'
-    uses: ./.github/workflows/set-pull-request-skip-label.yml