[CU-86b8rd19x] Add PR validation pipeline with SCA, SAST, and secrets detection (#18)

* [CU-86b8rd19x] Add PR validation pipeline with SCA, SAST, and secrets detection

Replace Cloud Build-only CI with GitHub Actions for PR validation:
- Build & Test, SAST (SonarQube), SCA (Trivy with SBOM), Secrets Detection (Gitleaks)
- Add .gitleaks.toml, .gitleaksignore, .trivyignore.yaml

Author: janfaron

.github/workflows/build-test-analyse.yml

@@ -0,0 +1,41 @@
+name: Build, Test & Analyse
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build-and-test-java-app:
+    name: Build & Test Java App
+    uses: DNAstack/dnastack-development-tools/.github/workflows/build-test-java-app.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      java-version: 17
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+
+  sast:
+    name: SAST (SonarQube)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/sast.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      with-frontend: false
+      java-version: 17
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+      sonar-token: ${{ secrets.SONAR_TOKEN }}
+      sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
+
+  sca:
+    name: SCA (Trivy)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/sca.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      java-version: 17
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+
+  secrets-detection:
+    name: Secrets Detection (Gitleaks)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/secrets-detection.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    secrets:
+      gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}

.gitleaks.toml

@@ -0,0 +1,13 @@
+# Gitleaks configuration — controls secret scanning behavior.
+# See: https://github.com/gitleaks/gitleaks#configuration
+
+# Use the default detection rules.
+[extend]
+  useDefault = true
+
+# Exclude build artifacts and dependency directories from scanning.
+[[allowlists]]
+  description = "exclude build artifacts and dependency directories"
+  paths = [
+    '''target/''',
+  ]

.gitleaksignore

@@ -0,0 +1,6 @@
+# Gitleaks ignore file — suppresses known/accepted secret findings.
+# Each line is a fingerprint from gitleaks output. New secrets in the same
+# files will still be caught — only these specific findings are suppressed.
+#
+# To add a new entry: run `gitleaks detect --source . --no-git -v`,
+# copy the Fingerprint line, and add it here with a comment explaining why.

.trivyignore.yaml

@@ -0,0 +1,8 @@
+# Trivy ignore file for known/accepted vulnerabilities.
+# See: https://trivy.dev/docs/configuration/filtering/#trivyignoreyaml
+#
+# Format:
+#   vulnerabilities:
+#     - id: CVE-XXXX-XXXXX
+#       reason: "Why this is acceptable"
+#       expired_at: 2026-XX-XXT00:00:00Z