From 043ed9ce450230b69e1012518834546fb870c7e8 Mon Sep 17 00:00:00 2001 From: Toutsu Date: Tue, 12 May 2026 12:42:32 +0300 Subject: [PATCH] ci: add Trivy security scanning (SAST/SCA) to pipeline - PR checks: filesystem scan with Trivy (vuln, secret, misconfig) - Deploy pipeline: image scan for bot and web containers before deploy - Scans entire repository, not filtered file subsets - Bump version -> 1.14.0 Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/deploy.yml | 29 +++++++++++++++++-- .gitea/workflows/pr-checks.yml | 19 ++++++++++++ Directory.Build.props | 2 +- compose.yaml | 4 +-- .../Components/Layout/NavMenu.razor | 2 +- 5 files changed, 50 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index ff9e9e4..932e3fa 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -6,7 +6,7 @@ on: - main env: - VERSION: 1.13.0 + VERSION: 1.14.0 jobs: # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами) @@ -51,9 +51,34 @@ jobs: docker push git.codeanddice.ru/toutsu/gmrelay-web:latest docker push git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }} + # ЧАСТЬ 1.5: Сканируем собранные образы на уязвимости + scan-images: + needs: build-and-push + runs-on: ubuntu-latest + steps: + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + - name: Scan Bot image + run: | + trivy image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --format table \ + git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }} + + - name: Scan Web image + run: | + trivy image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --format table \ + git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }} + # ЧАСТЬ 2: Запускаем эти образы на самом сервере deploy: - needs: build-and-push + needs: scan-images runs-on: ubuntu-latest # Тот же локальный раннер steps: - name: Checkout repository diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml index b9177cb..8613723 100644 --- a/.gitea/workflows/pr-checks.yml +++ b/.gitea/workflows/pr-checks.yml @@ -6,6 +6,25 @@ on: - main jobs: + security-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + - name: Run Trivy filesystem scan (full repo) + run: | + trivy fs \ + --scanners vuln,secret,misconfig \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --format table \ + . + test-and-build: runs-on: ubuntu-latest steps: diff --git a/Directory.Build.props b/Directory.Build.props index efc3923..385424b 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -1,6 +1,6 @@ - 1.13.0 + 1.14.0 net10.0 preview enable diff --git a/compose.yaml b/compose.yaml index a21fd8c..3f17b13 100644 --- a/compose.yaml +++ b/compose.yaml @@ -17,7 +17,7 @@ services: retries: 10 bot: - image: git.codeanddice.ru/toutsu/gmrelay-bot:1.13.0 + image: git.codeanddice.ru/toutsu/gmrelay-bot:1.14.0 restart: always depends_on: db: @@ -30,7 +30,7 @@ services: - gmrelay web: - image: git.codeanddice.ru/toutsu/gmrelay-web:1.13.0 + image: git.codeanddice.ru/toutsu/gmrelay-web:1.14.0 restart: always depends_on: db: diff --git a/src/GmRelay.Web/Components/Layout/NavMenu.razor b/src/GmRelay.Web/Components/Layout/NavMenu.razor index 0afd0c0..92c036b 100644 --- a/src/GmRelay.Web/Components/Layout/NavMenu.razor +++ b/src/GmRelay.Web/Components/Layout/NavMenu.razor @@ -56,7 +56,7 @@ -
v1.13.0
+
v1.14.0