ci(secu): update analyses

.githooks/pre-commit

@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+set -eu
+
+# ensure gitleaks is available
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "Error: gitleaks is not installed or not in PATH." >&2
+  echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
+  exit 1
+fi
+
+# scan for secrets before commit
+gitleaks protect -v --staged

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+
+# Pipelines Codeowners rules
+.github/**                    @quanta-computing/owners-pipelines
+.yamlfix.toml                 @quanta-computing/owners-pipelines
+
+# Security Codeowners rules
+.gitleaks.toml                @quanta-computing/owners-security
+.gitleaksignore               @quanta-computing/owners-security
+.githooks/pre-commit          @quanta-computing/owners-security
+**/secu-*.yml                 @quanta-computing/owners-security

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 50
+    labels:
+      - 'dependencies'
+      - 'gha'

.github/workflows/actionlint.yml

@@ -0,0 +1,26 @@
+name: actionlint
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - ".github/**"
+
+jobs:
+  action-lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Ensure SHA pinned actions
+        uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3
+        with:
+          allowlist: |
+            centreon/security-tools

.github/workflows/secu-dependency-scan.yml

@@ -0,0 +1,17 @@
+name: dependency-scan
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+
+on:
+  pull_request:
+    paths:
+      - '**'
+      - '!lib/crates/**'
+      - '!tests/**'
+
+  workflow_dispatch:
+
+jobs:
+  dependency-scan:
+    uses: centreon/security-tools/.github/workflows/dependency-analysis.yml@main

.github/workflows/secu-secret-scan.yml

@@ -0,0 +1,12 @@
+name: secrets-scan
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  secrets-scan:
+    uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main

.gitleaks.toml

@@ -0,0 +1,22 @@
+title = "Gitleaks custom rules"
+
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+  '''node_modules\/''',
+  '''vendor\/''',
+  '''(.*?)\.rptlibrary''',
+  '''package\.json''',
+  '''package-lock\.json''',
+  '''composer\.json''',
+  '''composer\.lock''',
+  '''\.gitleaks\.toml$''',
+  '''(.*?)(jpg|gif|doc|pdf|bin)$'''
+]
+
+regexTarget = "match"
+regexes = [
+  '''ABCDEFG1234567890'''
+]