CI: fix load-test port, security-scan TruffleHog/dependency-check, document NVD_API_KEY

- load-test: set PORT=8000 so backend listens where curl/k6 expect
- security-scan: resolve base SHA for TruffleHog (fix BASE==HEAD on schedule/dispatch)
- security-scan: use job-local dependency-check data dir to avoid H2/MVStore corruption
- backend: dependencyCheck data.directory from property or RUNNER_TEMP/buildDir
- SETUP.md: add NVD_API_KEY secret instructions for dependency-check

Author: MaxLuxs

.github/SETUP.md

@@ -84,6 +84,15 @@ docker run -it -p 18000:18000 ghcr.io/maxluxs/flagent:latest
 2. Нажмите **New repository secret**
 3. Добавьте необходимые секреты (например, API ключи для интеграций)
 
+### NVD_API_KEY (для Security Scan — Dependency Check)
+
+Для стабильной работы шага **Dependency Vulnerability Scan** в workflow `security-scan.yml` добавьте секрет **NVD_API_KEY**:
+
+- **Name:** `NVD_API_KEY`
+- **Value:** бесплатный API-ключ с [NVD — Request an API Key](https://nvd.nist.gov/developers/request-an-api-key)
+
+Без ключа запросы к NVD часто получают 403/rate limit, сканирование долго ретраится и может падать. С ключом обновление базы CVE быстрее и стабильнее.
+
 ## Структура workflows
 
 - **`.github/workflows/ci.yml`** - Основной CI: тесты, сборка, покрытие кода

.github/workflows/load-test.yml

@@ -68,6 +68,7 @@ jobs:
 
       - name: Start Flagent Server
         env:
+          PORT: 8000
           FLAGENT_DB_DBDRIVER: postgresql
           FLAGENT_DB_DBCONNECTIONSTR: postgresql://flagent:flagent@localhost:5432/flagent
         run: |

.github/workflows/security-scan.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Gradle Dependency Check
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-        run: ./gradlew :backend:dependencyCheckAnalyze
+        run: ./gradlew :backend:dependencyCheckAnalyze -PdependencyCheck.dataDirectory=$RUNNER_TEMP/dependency-check-data
 
       - name: Upload Dependency Check Results
         if: always()
@@ -47,13 +47,25 @@ jobs:
         with:
           fetch-depth: 0
 
-      # On push use event.before so BASE != HEAD; on PR use PR base/head
+      - name: Resolve base SHA
+        id: resolve_base
+        run: |
+          if [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
+          elif [ -n "${{ github.event.before }}" ] && [ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]; then
+            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+          else
+            BASE=$(git rev-parse HEAD^ 2>/dev/null || true)
+            echo "base=${BASE:-${{ github.sha }}}" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: TruffleHog Scan
+        if: steps.resolve_base.outputs.base != github.sha
         uses: trufflesecurity/trufflehog@main
         with:
           path: ./
-          base: ${{ github.event.pull_request.base.sha || github.event.before || github.event.repository.default_branch }}
-          head: ${{ github.event.pull_request.head.sha || github.sha }}
+          base: ${{ steps.resolve_base.outputs.base }}
+          head: ${{ github.sha }}
 
   container-scan:
     name: Container Image Scan

backend/build.gradle.kts

@@ -14,6 +14,9 @@ dependencyCheck {
     failBuildOnCVSS = 11f  // Don't fail on CVSS, only report
     failOnError = false    // Don't fail when NVD is unreachable (403, etc.)
     formats = listOf("HTML", "JSON")
+    val dataDir = project.findProperty("dependencyCheck.dataDirectory")?.toString()
+        ?: "${System.getenv("RUNNER_TEMP") ?: layout.buildDirectory.get().asFile}/dependency-check-data"
+    data.directory.set(dataDir)
 }
 
 java {
@@ -66,6 +69,8 @@ dependencies {
 
     // Messaging
     implementation(libs.bundles.messaging)
+    // Override transitive lz4-java (kafka-clients pulls org.lz4:1.8.0); root build substitutes with at.yawk.lz4 fork
+    implementation(libs.lz4.java)
 
     // JWT (JJWT)
     implementation(libs.jjwt.api)