Update .gitea/workflows/security.yml

2025-08-12 17:31:35 +07:00
parent 985f9754c4
commit af53f68d2c
1 changed files with 89 additions and 7 deletions
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -53,7 +53,7 @@ jobs:

      - name: Upload security reports
        uses: actions/upload-artifact@v3
-      with:
+        with:
          name: security-reports-${{ github.run_number }}
          path: |
            safety-report.json
@@ -86,6 +86,84 @@ jobs:
            fi
          fi

+  # Docker image security scan
+  docker-security-scan:
+    name: Docker Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.CI_BOT_TOKEN }}
+
+      - name: Check GitHub token availability
+        run: |
+          if [ -z "${{ secrets.GH_TOKEN }}" ]; then
+            echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
+            echo "💡 To fix: Add GH_TOKEN secret in repository settings"
+          else
+            echo "✅ GH_TOKEN is configured"
+          fi
+
+      - name: Build Docker image for scanning
+        run: |
+          docker build -t ping-river-monitor:scan .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ping-river-monitor:scan"
+          format: "json"
+          output: "trivy-report.json"
+          github-token: ${{ secrets.GH_TOKEN }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        continue-on-error: true
+
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          format: "json"
+          output: "trivy-fs-report.json"
+          github-token: ${{ secrets.GH_TOKEN }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        continue-on-error: true
+
+      - name: Upload Trivy reports
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: trivy-reports-${{ github.run_number }}
+          path: |
+            trivy-report.json
+            trivy-fs-report.json
+
+      - name: Check Trivy results
+        run: |
+          echo "🔍 Analyzing Docker security scan results..."
+
+          if [ -f trivy-report.json ]; then
+            critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l)
+            high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l)
+            
+            echo "Critical vulnerabilities: $critical_vulns"
+            echo "High vulnerabilities: $high_vulns"
+            
+            if [ "$critical_vulns" -gt 0 ]; then
+              echo "❌ Critical vulnerabilities found in Docker image!"
+              exit 1
+            elif [ "$high_vulns" -gt 5 ]; then
+              echo "⚠️ Many high-severity vulnerabilities found"
+            else
+              echo "✅ Docker image security scan passed"
+            fi
+          fi

  # License compliance check
  license-check:
@@ -128,7 +206,7 @@ jobs:

      - name: Upload license report
        uses: actions/upload-artifact@v3
-      with:
+        with:
          name: license-report-${{ github.run_number }}
          path: |
            licenses.json
@@ -211,7 +289,7 @@ jobs:

      - name: Upload dependency reports
        uses: actions/upload-artifact@v3
-      with:
+        with:
          name: dependency-reports-${{ github.run_number }}
          path: |
            outdated-packages.json
@@ -263,7 +341,7 @@ jobs:

      - name: Upload quality reports
        uses: actions/upload-artifact@v3
-      with:
+        with:
          name: code-quality-reports-${{ github.run_number }}
          path: |
            complexity-report.json
@@ -305,8 +383,12 @@ jobs:
            echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
          fi

-          # Docker scan results (removed Trivy)
-          echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md
+          # Docker scan results
+          if [ -f trivy-reports-*/trivy-report.json ]; then
+            echo "- ✅ **Docker Scan**: Completed" >> security-summary.md
+          else
+            echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md
+          fi

          # License check results
          if [ -f license-report-*/licenses.json ]; then
@@ -331,6 +413,6 @@ jobs:

      - name: Upload security summary
        uses: actions/upload-artifact@v3
-      with:
+        with:
          name: security-summary-${{ github.run_number }}
          path: security-summary.md