From 043ed9ce450230b69e1012518834546fb870c7e8 Mon Sep 17 00:00:00 2001 From: Toutsu Date: Tue, 12 May 2026 12:42:32 +0300 Subject: [PATCH 1/2] ci: add Trivy security scanning (SAST/SCA) to pipeline - PR checks: filesystem scan with Trivy (vuln, secret, misconfig) - Deploy pipeline: image scan for bot and web containers before deploy - Scans entire repository, not filtered file subsets - Bump version -> 1.14.0 Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/deploy.yml | 29 +++++++++++++++++-- .gitea/workflows/pr-checks.yml | 19 ++++++++++++ Directory.Build.props | 2 +- compose.yaml | 4 +-- .../Components/Layout/NavMenu.razor | 2 +- 5 files changed, 50 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index ff9e9e4..932e3fa 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -6,7 +6,7 @@ on: - main env: - VERSION: 1.13.0 + VERSION: 1.14.0 jobs: # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами) @@ -51,9 +51,34 @@ jobs: docker push git.codeanddice.ru/toutsu/gmrelay-web:latest docker push git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }} + # ЧАСТЬ 1.5: Сканируем собранные образы на уязвимости + scan-images: + needs: build-and-push + runs-on: ubuntu-latest + steps: + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + - name: Scan Bot image + run: | + trivy image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --format table \ + git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }} + + - name: Scan Web image + run: | + trivy image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --format table \ + git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }} + # ЧАСТЬ 2: Запускаем эти образы на самом сервере deploy: - needs: build-and-push + needs: scan-images runs-on: ubuntu-latest # Тот же локальный раннер steps: - name: Checkout repository diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml index b9177cb..8613723 100644 --- a/.gitea/workflows/pr-checks.yml +++ b/.gitea/workflows/pr-checks.yml @@ -6,6 +6,25 @@ on: - main jobs: + security-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + - name: Run Trivy filesystem scan (full repo) + run: | + trivy fs \ + --scanners vuln,secret,misconfig \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --format table \ + . + test-and-build: runs-on: ubuntu-latest steps: diff --git a/Directory.Build.props b/Directory.Build.props index efc3923..385424b 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -1,6 +1,6 @@ - 1.13.0 + 1.14.0 net10.0 preview enable diff --git a/compose.yaml b/compose.yaml index a21fd8c..3f17b13 100644 --- a/compose.yaml +++ b/compose.yaml @@ -17,7 +17,7 @@ services: retries: 10 bot: - image: git.codeanddice.ru/toutsu/gmrelay-bot:1.13.0 + image: git.codeanddice.ru/toutsu/gmrelay-bot:1.14.0 restart: always depends_on: db: @@ -30,7 +30,7 @@ services: - gmrelay web: - image: git.codeanddice.ru/toutsu/gmrelay-web:1.13.0 + image: git.codeanddice.ru/toutsu/gmrelay-web:1.14.0 restart: always depends_on: db: diff --git a/src/GmRelay.Web/Components/Layout/NavMenu.razor b/src/GmRelay.Web/Components/Layout/NavMenu.razor index 0afd0c0..92c036b 100644 --- a/src/GmRelay.Web/Components/Layout/NavMenu.razor +++ b/src/GmRelay.Web/Components/Layout/NavMenu.razor @@ -56,7 +56,7 @@ -
v1.13.0
+
v1.14.0
From 06d40fdbc8bea03bb40fc7fce36bb85201a36882 Mon Sep 17 00:00:00 2001 From: Toutsu Date: Tue, 12 May 2026 12:45:36 +0300 Subject: [PATCH 2/2] ci: add deep SAST via SecurityCodeScan Roslyn analyzer - SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props scans all C# source during every dotnet build - HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true - No extra CI step needed: analyzer runs inside every build job automatically Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/pr-checks.yml | 6 +++--- Directory.Build.props | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml index 8613723..af8671d 100644 --- a/.gitea/workflows/pr-checks.yml +++ b/.gitea/workflows/pr-checks.yml @@ -39,13 +39,13 @@ jobs: - name: Restore dependencies run: dotnet restore - - name: Build Shared + - name: Build Shared (includes SAST via SecurityCodeScan) run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore - - name: Build Bot (compile check) + - name: Build Bot (compile check, includes SAST) run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore - - name: Build Web (compile check) + - name: Build Web (compile check, includes SAST) run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore - name: Run tests diff --git a/Directory.Build.props b/Directory.Build.props index 385424b..abbd5a4 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -7,4 +7,8 @@ enable true + + + +