grabowski/Northern-Thailand-Ping-River-Monitor
5
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 15 Wiki Activity

Update .gitea/workflows/security.yml
All checks were successful
Security & Dependency Updates / Dependency Security Scan (push) Successful in 20s
Details
Security & Dependency Updates / Docker Security Scan (push) Successful in 1m24s
Details
Security & Dependency Updates / License Compliance (push) Successful in 11s
Details
Security & Dependency Updates / Check for Dependency Updates (push) Successful in 18s
Details
Security & Dependency Updates / Code Quality Metrics (push) Successful in 14s
Details
Security & Dependency Updates / Security Summary (push) Successful in 6s
Details

Browse Source
This commit is contained in:
Alexander Grabowski
2025-08-12 17:31:35 +07:00
parent 985f9754c4
commit af53f68d2c
1 changed files with 89 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
.gitea/workflows/security.yml
View File

@@ -53,7 +53,7 @@ jobs:
- name: Upload security reports - name: Upload security reports
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: security-reports-${{ github.run_number }} name: security-reports-${{ github.run_number }}
path: | path: |
safety-report.json safety-report.json
@@ -86,6 +86,84 @@ jobs:
fi fi
fi fi
# Docker image security scan
docker-security-scan:
name: Docker Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Check GitHub token availability
run: |
if [ -z "${{ secrets.GH_TOKEN }}" ]; then
echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
echo "💡 To fix: Add GH_TOKEN secret in repository settings"
else
echo "✅ GH_TOKEN is configured"
fi
- name: Build Docker image for scanning
run: |
docker build -t ping-river-monitor:scan .
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "ping-river-monitor:scan"
format: "json"
output: "trivy-report.json"
github-token: ${{ secrets.GH_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
continue-on-error: true
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "json"
output: "trivy-fs-report.json"
github-token: ${{ secrets.GH_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
continue-on-error: true
- name: Upload Trivy reports
uses: actions/upload-artifact@v3
if: always()
with:
name: trivy-reports-${{ github.run_number }}
path: |
trivy-report.json
trivy-fs-report.json
- name: Check Trivy results
run: |
echo "🔍 Analyzing Docker security scan results..."
if [ -f trivy-report.json ]; then
critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l)
high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l)
echo "Critical vulnerabilities: $critical_vulns"
echo "High vulnerabilities: $high_vulns"
if [ "$critical_vulns" -gt 0 ]; then
echo "❌ Critical vulnerabilities found in Docker image!"
exit 1
elif [ "$high_vulns" -gt 5 ]; then
echo "⚠️ Many high-severity vulnerabilities found"
else
echo "✅ Docker image security scan passed"
fi
fi
# License compliance check # License compliance check
license-check: license-check:
@@ -128,7 +206,7 @@ jobs:
- name: Upload license report - name: Upload license report
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: license-report-${{ github.run_number }} name: license-report-${{ github.run_number }}
path: | path: |
licenses.json licenses.json
@@ -211,7 +289,7 @@ jobs:
- name: Upload dependency reports - name: Upload dependency reports
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: dependency-reports-${{ github.run_number }} name: dependency-reports-${{ github.run_number }}
path: | path: |
outdated-packages.json outdated-packages.json
@@ -263,7 +341,7 @@ jobs:
- name: Upload quality reports - name: Upload quality reports
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: code-quality-reports-${{ github.run_number }} name: code-quality-reports-${{ github.run_number }}
path: | path: |
complexity-report.json complexity-report.json
@@ -305,8 +383,12 @@ jobs:
echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
fi fi
# Docker scan results (removed Trivy) # Docker scan results
echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md if [ -f trivy-reports-*/trivy-report.json ]; then
echo "- ✅ **Docker Scan**: Completed" >> security-summary.md
else
echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md
fi
# License check results # License check results
if [ -f license-report-*/licenses.json ]; then if [ -f license-report-*/licenses.json ]; then
@@ -331,6 +413,6 @@ jobs:
- name: Upload security summary - name: Upload security summary
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: security-summary-${{ github.run_number }} name: security-summary-${{ github.run_number }}
path: security-summary.md path: security-summary.md