diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index c31e0bc..932e3fa 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -51,9 +51,34 @@ jobs:
docker push git.codeanddice.ru/toutsu/gmrelay-web:latest
docker push git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
+ # ЧАСТЬ 1.5: Сканируем собранные образы на уязвимости
+ scan-images:
+ needs: build-and-push
+ runs-on: ubuntu-latest
+ steps:
+ - name: Install Trivy
+ run: |
+ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+ - name: Scan Bot image
+ run: |
+ trivy image \
+ --severity HIGH,CRITICAL \
+ --exit-code 1 \
+ --format table \
+ git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }}
+
+ - name: Scan Web image
+ run: |
+ trivy image \
+ --severity HIGH,CRITICAL \
+ --exit-code 1 \
+ --format table \
+ git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
+
# ЧАСТЬ 2: Запускаем эти образы на самом сервере
deploy:
- needs: build-and-push
+ needs: scan-images
runs-on: ubuntu-latest # Тот же локальный раннер
steps:
- name: Checkout repository
diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml
index 073c238..2f06423 100644
--- a/.gitea/workflows/pr-checks.yml
+++ b/.gitea/workflows/pr-checks.yml
@@ -61,15 +61,15 @@ jobs:
fi
exit "${trivy_exit}"
- # ── Build ──
+ # ── Build (includes SAST via SecurityCodeScan Roslyn analyzer) ──
- name: Build Shared
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
- - name: Build Bot (compile check)
+ - name: Build Bot (compile check, includes SAST)
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
- - name: Build Web (compile check)
+ - name: Build Web (compile check, includes SAST)
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
# ── Tests ──
diff --git a/Directory.Build.props b/Directory.Build.props
index c0556fb..7a5fd28 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -8,4 +8,8 @@
true
true
+
+
+
+