diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml index fccd04b..9f930b5 100644 --- a/.gitea/workflows/security.yml +++ b/.gitea/workflows/security.yml @@ -53,7 +53,7 @@ jobs: - name: Upload security reports uses: actions/upload-artifact@v3 - with: + with: name: security-reports-${{ github.run_number }} path: | safety-report.json @@ -86,6 +86,84 @@ jobs: fi fi + # Docker image security scan + docker-security-scan: + name: Docker Security Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + token: ${{ secrets.CI_BOT_TOKEN }} + + - name: Check GitHub token availability + run: | + if [ -z "${{ secrets.GH_TOKEN }}" ]; then + echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits." + echo "💡 To fix: Add GH_TOKEN secret in repository settings" + else + echo "✅ GH_TOKEN is configured" + fi + + - name: Build Docker image for scanning + run: | + docker build -t ping-river-monitor:scan . + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "ping-river-monitor:scan" + format: "json" + output: "trivy-report.json" + github-token: ${{ secrets.GH_TOKEN }} + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + continue-on-error: true + + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@master + with: + scan-type: "fs" + scan-ref: "." + format: "json" + output: "trivy-fs-report.json" + github-token: ${{ secrets.GH_TOKEN }} + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + continue-on-error: true + + - name: Upload Trivy reports + uses: actions/upload-artifact@v3 + if: always() + with: + name: trivy-reports-${{ github.run_number }} + path: | + trivy-report.json + trivy-fs-report.json + + - name: Check Trivy results + run: | + echo "🔍 Analyzing Docker security scan results..." + + if [ -f trivy-report.json ]; then + critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l) + high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l) + + echo "Critical vulnerabilities: $critical_vulns" + echo "High vulnerabilities: $high_vulns" + + if [ "$critical_vulns" -gt 0 ]; then + echo "❌ Critical vulnerabilities found in Docker image!" + exit 1 + elif [ "$high_vulns" -gt 5 ]; then + echo "⚠️ Many high-severity vulnerabilities found" + else + echo "✅ Docker image security scan passed" + fi + fi # License compliance check license-check: @@ -128,7 +206,7 @@ jobs: - name: Upload license report uses: actions/upload-artifact@v3 - with: + with: name: license-report-${{ github.run_number }} path: | licenses.json @@ -211,7 +289,7 @@ jobs: - name: Upload dependency reports uses: actions/upload-artifact@v3 - with: + with: name: dependency-reports-${{ github.run_number }} path: | outdated-packages.json @@ -263,7 +341,7 @@ jobs: - name: Upload quality reports uses: actions/upload-artifact@v3 - with: + with: name: code-quality-reports-${{ github.run_number }} path: | complexity-report.json @@ -305,8 +383,12 @@ jobs: echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md fi - # Docker scan results (removed Trivy) - echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md + # Docker scan results + if [ -f trivy-reports-*/trivy-report.json ]; then + echo "- ✅ **Docker Scan**: Completed" >> security-summary.md + else + echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md + fi # License check results if [ -f license-report-*/licenses.json ]; then @@ -331,6 +413,6 @@ jobs: - name: Upload security summary uses: actions/upload-artifact@v3 - with: + with: name: security-summary-${{ github.run_number }} path: security-summary.md