ci: add Trivy security scanning (SAST/SCA) to pipeline

- PR checks: filesystem scan with Trivy (vuln, secret, misconfig)
- Deploy pipeline: image scan for bot and web containers before deploy
- Scans entire repository, not filtered file subsets
- Bump version -> 1.14.0

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -6,7 +6,7 @@ on:
       - main 
 
 env:
-  VERSION: 1.13.0
+  VERSION: 1.14.0
 
 jobs:
   # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)
@@ -51,9 +51,34 @@ jobs:
           docker push git.codeanddice.ru/toutsu/gmrelay-web:latest
           docker push git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
 
+  # ЧАСТЬ 1.5: Сканируем собранные образы на уязвимости
+  scan-images:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Scan Bot image
+        run: |
+          trivy image \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            --format table \
+            git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }}
+
+      - name: Scan Web image
+        run: |
+          trivy image \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            --format table \
+            git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
+
   # ЧАСТЬ 2: Запускаем эти образы на самом сервере
   deploy:
-    needs: build-and-push
+    needs: scan-images
     runs-on: ubuntu-latest # Тот же локальный раннер
     steps:
       - name: Checkout repository

.gitea/workflows/pr-checks.yml

@@ -6,6 +6,25 @@ on:
       - main
 
 jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run Trivy filesystem scan (full repo)
+        run: |
+          trivy fs \
+            --scanners vuln,secret,misconfig \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            --format table \
+            .
+
   test-and-build:
     runs-on: ubuntu-latest
     steps:

Directory.Build.props

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <Version>1.13.0</Version>
+    <Version>1.14.0</Version>
     <TargetFramework>net10.0</TargetFramework>
     <LangVersion>preview</LangVersion>
     <Nullable>enable</Nullable>

compose.yaml

@@ -17,7 +17,7 @@ services:
       retries: 10
 
   bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:1.13.0
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:1.14.0
     restart: always
     depends_on:
       db:
@@ -30,7 +30,7 @@ services:
       - gmrelay
 
   web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:1.13.0
+    image: git.codeanddice.ru/toutsu/gmrelay-web:1.14.0
     restart: always
     depends_on:
       db:

src/GmRelay.Web/Components/Layout/NavMenu.razor

@@ -56,7 +56,7 @@
                     </button>
                 </form>
 
-                <div class="nav-version">v1.13.0</div>
+                <div class="nav-version">v1.14.0</div>
             </div>
         </Authorized>
         <NotAuthorized>