gitlab-security-setuplisted
Install: claude install-skill educlopez/mallard
# GitLab Security Setup
Full security stack for your company's GitLab.com projects on the Free tier.
Covers: pnpm 11 supply chain, Trivy weekly scan, HTML email reports via Gmail.
> **Placeholder:** `{report_recipients}` is a comma-separated list of email
> addresses that receive the vulnerability reports (e.g. `you@example.com, teammate@example.com`).
> Replace it everywhere it appears below with your own recipient address(es) before running.
## What gets set up
1. **pnpm 11** with supply chain protection (`minimumReleaseAge`, overrides)
2. **Trivy** vulnerability + secret scanner via GitLab CI
3. **Weekly scheduled pipeline** (Monday 8am Madrid) with HTML email report
4. **Composer audit** for PHP/Laravel projects
5. **Gmail SMTP** delivery via GitLab CI/CD variables
---
## Step 1 — pnpm 11 Supply Chain
### `pnpm-workspace.yaml` (create or update)
```yaml
minimumReleaseAge: 2880 # packages must be 48h old before install (minutes)
overrides:
form-data: ">=4.0.4"
axios: ">=1.15.2"
lodash: ">=4.18.0"
picomatch: ">=4.0.4"
qs: ">=6.14.2"
```
**Rules:**
- `minimumReleaseAge` is in **minutes** (2880 = 48h). Blocks supply chain attacks via typosquatting/fast-publish.
- `overrides` pins known vulnerable transitive deps. Add new entries as CVEs appear.
- Do NOT put `minimumReleaseAge` in `.npmrc` — pnpm 11 reads it from `pnpm-workspace.yaml` only.
### `package.json` additions
```json
{
"packageManager": "pnpm@11.x.x"
}
```
Remove any `overrides` or `pnpm.ov