[#112] Add third party tools to project (#126)

* feat(#112): project - plug Renovate

Signed-off-by: Pierre-Yves Lapersonne <pierreyves.lapersonne@orange.com>

* feat(#112): project - plug Gitleaks

Signed-off-by: Pierre-Yves Lapersonne <pierreyves.lapersonne@orange.com>

* doc(#112): add details about third-party tools plugged to repo

Signed-off-by: Pierre-Yves Lapersonne <pierreyves.lapersonne@orange.com>

---------

Signed-off-by: Pierre-Yves Lapersonne <pierreyves.lapersonne@orange.com>

Author: pylapp

.github/workflows/gitleaks-action.yml

@@ -0,0 +1,25 @@
+# Software Name: floss-toolbox
+# SPDX-FileCopyrightText: Copyright (c) Orange SA
+# SPDX-License-Identifier: Apache-2.0
+#
+# This software is distributed under the Apache 2.0 license,
+# the text of which is available at https://opensource.org/license/apache-2-0
+# or see the "LICENSE.txt" file for more details.
+#
+# Authors: See CONTRIBUTORS.txt
+# Software description: A toolbox of scripts to help work of forges admins and open source referents
+
+name: gitleaks
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

CHANGELOG.md

@@ -9,10 +9,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- [Project] Plug Renovate, Gitleaks ([#112](https://github.com/Orange-OpenSource/floss-toolbox/issues/112))
 - [Licenses Inventory] Improve requirements for Python modules in use ([#108](https://github.com/Orange-OpenSource/floss-toolbox/issues/108))
 - [Project] Apply REUSE standards ([#114](https://github.com/Orange-OpenSource/floss-toolbox/issues/114))
 - [Utils] Add metrics and improve outputs for third-party generator scripts
-- [Project] Improve a bit CHANGELOG by leading scope keyword for each line
+- [Project] Improve a bit CHANGELOG by leading-scope-keyword for each line
 
 ## [2.15.0] - 2024-03-12
 

README.md

@@ -19,14 +19,14 @@ _Python_ is also used.
 And a bit of _PHP_ because it is nice to use several languages we are not used to (stop the routine!).
 For these needs scripting is enough.
 
-# Environment
+## Environment
 
 You should have mainly the following environments bellow, but have a look on each folder README:
 - _Bash_ version **3.2.5**
 - _Ruby_ version **2.7.1**
 - _Python_ version **3.7**
 
-# Project tree
+## Project tree
 
 There are 5 folders containing scripts and programs to make your life a bit easier:
 
@@ -38,10 +38,34 @@ There are 5 folders containing scripts and programs to make your life a bit easi
 
 Feel free to read each README available in all of the subdirectories listed above.
 
-# Dry run
+## Dry run
 
 To be sure you have a ready-to-run project, you can run the following dry-run command which will check if runtimes, third party tools and files are available.
 
 ```shell
 bash dry-run.sh
-```
+```
+
+## About the repository
+
+### Renovate
+
+[Renovate](https://docs.renovatebot.com/) is used to as to try to keep updated dependencies of the project.
+A _renovate.json_ must be added at the project root with cofiguration details ; but **the organization admins must enable it** (through the [admin console](https://developer.mend.io/)).
+
+### Gitleaks
+
+[Gitleaks](https://github.com/gitleaks/gitleaks) is used so as to look for secrets and leak of sensitive data.
+A _gitleaks.toml_ file has been placed at the project root, picked from the _Gitleaks_ repository, to define rules.
+A *gitleaks-action.yml* is also defined to define the GitHub Action to call and some secrets to use to do so.
+The *GITLEAKS_LICENSE* is defined in the organization level, **only the organization admins can make it visible to projects**.
+This key (dedicated to organization) has been asked to the *Gitleaks* team and received gratefully from them.
+
+### DCO
+
+The *Developer Certificate of Origin* is applied here thanks to a [Probot bot](https://probot.github.io/apps/dco/).
+On pull requests all commits must be signed off. This control is processed in an action.
+
+### Dependabot
+
+By default [Dependabot](https://docs.github.com/fr/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-dependabot) is enabled for this project.

THIRD-PARTY.md

@@ -6,13 +6,23 @@ This document contains the list of Third Party Softwares along with the license
 Third Party Software may impose additional restrictions and it is the user's responsibility to ensure that they have met the licensing
 requirements of the relevant license of the Third Party Software they are using.
 
+## For project
+
+### gitleaks.toml
+
+Copyright (c) 2019 Zachary Rice
+
+The *gitleaks.toml* file was generated and distributed under the terms and conditions of the [MIT License](https://opensource.org/license/MIT).
+You may download the source code on the [following website](https://github.com/gitleaks/gitleaks).
+The local version has been modified by us since.
+
 ## For "github" bucket
 
 ### Octokit
 
 Version 6.1.1
 
-Copyright 2009-2017 Wynn Netherland, Adam Stacoviak, Erik Michaels-Ober
+Copyright (c) 2009-2017 Wynn Netherland, Adam Stacoviak, Erik Michaels-Ober
 
 *octokit.rb* is distributed under the terms and conditions of the [MIT License](https://opensource.org/license/MIT).
 You may download the source code on the [following website](https://github.com/octokit/octokit.rb).