--- steps: gitleaks: image: zricethezav/gitleaks:v8.18.2@sha256:eadfe256fa18d6a78a717abc9ed454c8e03865d1c46d627bca83977f4424901a commands: - gitleaks detect --no-git --verbose --source $CI_WORKSPACE when: - evaluate: 'CI_PIPELINE_EVENT == "push" && CI_COMMIT_BRANCH == CI_REPO_DEFAULT_BRANCH' - evaluate: 'CI_PIPELINE_EVENT == "pr"' # when: # branch: # include: [master, master] # exclude: [renovate/*] hadolint: image: pipelinecomponents/hadolint:0.26.0@sha256:7122937006c7a9bcbb78ce764d3c2f0092f183b843ad128bc9fd6ea918e22d5b commands: - hadolint Dockerfile when: event: exclude: - tag shellcheck: image: "koalaman/shellcheck-alpine:latest@sha256:eed99e46acb69ede0f68db4fd8f1b3b00cc09d66cb7d4d6f1f6296bd8833932d" commands: - | find . -type f -not -path './.git/*' -not -path './collections/*' -exec file {} \; | while IFS= read -r line; do if echo "$line" | grep -q "shell script"; then file_path=$(echo "$line" | awk -F':' '{print $1}') shellcheck "$file_path" fi done ...