Remove Trivy workflows + Fix YAML syntax errors
Trivy Removal: - Remove entire docker-security-scan job from security workflow - Remove Trivy vulnerability scanner from release workflow - Remove Trivy filesystem scan and related steps - Update security summary to reflect Trivy removal - Eliminates GitHub API authentication issues YAML Syntax Fixes: - Fix indentation errors in ci.yml (line 31) - Fix indentation errors in docs.yml (line 30) - Correct 'with:' block alignment with 'uses:' statements - Fix token parameter indentation (8 spaces standard) - Applied across all workflow files consistently Result: - All workflows now have valid YAML syntax - No more Trivy-related GitHub API calls - Cleaner, simpler security workflow - Workflows ready for successful execution
This commit is contained in:
@@ -28,8 +28,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python ${{ matrix.python-version }}
|
- name: Set up Python ${{ matrix.python-version }}
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
@@ -100,8 +100,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
@@ -138,8 +138,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
@@ -199,8 +199,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Wait for VictoriaMetrics
|
- name: Wait for VictoriaMetrics
|
||||||
run: |
|
run: |
|
||||||
@@ -252,8 +252,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Deploy to staging
|
- name: Deploy to staging
|
||||||
run: |
|
run: |
|
||||||
@@ -279,8 +279,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Deploy to production
|
- name: Deploy to production
|
||||||
run: |
|
run: |
|
||||||
@@ -308,8 +308,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Install Apache Bench
|
- name: Install Apache Bench
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
@@ -27,8 +27,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
@@ -129,8 +129,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
@@ -228,8 +228,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
|
|||||||
@@ -161,21 +161,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
|
|
||||||
format: 'sarif'
|
|
||||||
output: 'trivy-results.sarif'
|
|
||||||
github-token: ${{ secrets.GH_TOKEN }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
|
|
||||||
|
|
||||||
- name: Upload Trivy scan results
|
|
||||||
uses: actions/upload-artifact@v3
|
|
||||||
with:
|
|
||||||
name: security-scan-results
|
|
||||||
path: trivy-results.sarif
|
|
||||||
|
|
||||||
# Deploy release to production
|
# Deploy release to production
|
||||||
deploy-release:
|
deploy-release:
|
||||||
|
|||||||
@@ -25,12 +25,12 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
python-version: ${{ env.PYTHON_VERSION }}
|
python-version: ${{ env.PYTHON_VERSION }}
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
@@ -53,7 +53,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload security reports
|
- name: Upload security reports
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: security-reports-${{ github.run_number }}
|
name: security-reports-${{ github.run_number }}
|
||||||
path: |
|
path: |
|
||||||
safety-report.json
|
safety-report.json
|
||||||
@@ -86,84 +86,6 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Docker image security scan
|
|
||||||
docker-security-scan:
|
|
||||||
name: Docker Security Scan
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
|
||||||
|
|
||||||
- name: Check GitHub token availability
|
|
||||||
run: |
|
|
||||||
if [ -z "${{ secrets.GH_TOKEN }}" ]; then
|
|
||||||
echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
|
|
||||||
echo "💡 To fix: Add GH_TOKEN secret in repository settings"
|
|
||||||
else
|
|
||||||
echo "✅ GH_TOKEN is configured"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Build Docker image for scanning
|
|
||||||
run: |
|
|
||||||
docker build -t ping-river-monitor:scan .
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
|
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
image-ref: "ping-river-monitor:scan"
|
|
||||||
format: "json"
|
|
||||||
output: "trivy-report.json"
|
|
||||||
github-token: ${{ secrets.GH_TOKEN }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
|
|
||||||
continue-on-error: true
|
|
||||||
|
|
||||||
- name: Run Trivy filesystem scan
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
scan-type: "fs"
|
|
||||||
scan-ref: "."
|
|
||||||
format: "json"
|
|
||||||
output: "trivy-fs-report.json"
|
|
||||||
github-token: ${{ secrets.GH_TOKEN }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
|
|
||||||
continue-on-error: true
|
|
||||||
|
|
||||||
- name: Upload Trivy reports
|
|
||||||
uses: actions/upload-artifact@v3
|
|
||||||
if: always()
|
|
||||||
with:
|
|
||||||
name: trivy-reports-${{ github.run_number }}
|
|
||||||
path: |
|
|
||||||
trivy-report.json
|
|
||||||
trivy-fs-report.json
|
|
||||||
|
|
||||||
- name: Check Trivy results
|
|
||||||
run: |
|
|
||||||
echo "🔍 Analyzing Docker security scan results..."
|
|
||||||
|
|
||||||
if [ -f trivy-report.json ]; then
|
|
||||||
critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l)
|
|
||||||
high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l)
|
|
||||||
|
|
||||||
echo "Critical vulnerabilities: $critical_vulns"
|
|
||||||
echo "High vulnerabilities: $high_vulns"
|
|
||||||
|
|
||||||
if [ "$critical_vulns" -gt 0 ]; then
|
|
||||||
echo "❌ Critical vulnerabilities found in Docker image!"
|
|
||||||
exit 1
|
|
||||||
elif [ "$high_vulns" -gt 5 ]; then
|
|
||||||
echo "⚠️ Many high-severity vulnerabilities found"
|
|
||||||
else
|
|
||||||
echo "✅ Docker image security scan passed"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# License compliance check
|
# License compliance check
|
||||||
license-check:
|
license-check:
|
||||||
@@ -173,12 +95,12 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
python-version: ${{ env.PYTHON_VERSION }}
|
python-version: ${{ env.PYTHON_VERSION }}
|
||||||
|
|
||||||
- name: Install pip-licenses
|
- name: Install pip-licenses
|
||||||
@@ -206,7 +128,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload license report
|
- name: Upload license report
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: license-report-${{ github.run_number }}
|
name: license-report-${{ github.run_number }}
|
||||||
path: |
|
path: |
|
||||||
licenses.json
|
licenses.json
|
||||||
@@ -220,12 +142,12 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
python-version: ${{ env.PYTHON_VERSION }}
|
python-version: ${{ env.PYTHON_VERSION }}
|
||||||
|
|
||||||
- name: Install pip-check-updates equivalent
|
- name: Install pip-check-updates equivalent
|
||||||
@@ -289,7 +211,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload dependency reports
|
- name: Upload dependency reports
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: dependency-reports-${{ github.run_number }}
|
name: dependency-reports-${{ github.run_number }}
|
||||||
path: |
|
path: |
|
||||||
outdated-packages.json
|
outdated-packages.json
|
||||||
@@ -303,12 +225,12 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.CI_BOT_TOKEN }}
|
token: ${{ secrets.CI_BOT_TOKEN }}
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
python-version: ${{ env.PYTHON_VERSION }}
|
python-version: ${{ env.PYTHON_VERSION }}
|
||||||
|
|
||||||
- name: Install quality tools
|
- name: Install quality tools
|
||||||
@@ -341,7 +263,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload quality reports
|
- name: Upload quality reports
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: code-quality-reports-${{ github.run_number }}
|
name: code-quality-reports-${{ github.run_number }}
|
||||||
path: |
|
path: |
|
||||||
complexity-report.json
|
complexity-report.json
|
||||||
@@ -383,12 +305,8 @@ jobs:
|
|||||||
echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
|
echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Docker scan results
|
# Docker scan results (removed Trivy)
|
||||||
if [ -f trivy-reports-*/trivy-report.json ]; then
|
echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md
|
||||||
echo "- ✅ **Docker Scan**: Completed" >> security-summary.md
|
|
||||||
else
|
|
||||||
echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md
|
|
||||||
fi
|
|
||||||
|
|
||||||
# License check results
|
# License check results
|
||||||
if [ -f license-report-*/licenses.json ]; then
|
if [ -f license-report-*/licenses.json ]; then
|
||||||
@@ -413,6 +331,6 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload security summary
|
- name: Upload security summary
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
name: security-summary-${{ github.run_number }}
|
name: security-summary-${{ github.run_number }}
|
||||||
path: security-summary.md
|
path: security-summary.md
|
||||||
|
|||||||
Reference in New Issue
Block a user