Merge remote-tracking branch 'origin/main' into feature/trivy-security-scan

ci: add deep SAST via SecurityCodeScan Roslyn analyzer
- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props scans all C# source during every dotnet build - HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true - No extra CI step needed: analyzer runs inside every build job automatically Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-12 12:59:49 +03:00 · 2026-05-12 12:45:36 +03:00 · 2026-05-12 12:42:32 +03:00 · 2026-05-11 14:29:04 +03:00
4 changed files with 33 additions and 4 deletions
@@ -51,9 +51,34 @@ jobs:
          docker push git.codeanddice.ru/toutsu/gmrelay-web:latest
          docker push git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
  # ЧАСТЬ 1.5: Сканируем собранные образы на уязвимости
  scan-images:
    needs: build-and-push
    runs-on: ubuntu-latest
    steps:
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
      - name: Scan Bot image
        run: |
          trivy image \
            --severity HIGH,CRITICAL \
            --exit-code 1 \
            --format table \
            git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }}
      - name: Scan Web image
        run: |
          trivy image \
            --severity HIGH,CRITICAL \
            --exit-code 1 \
            --format table \
            git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
  # ЧАСТЬ 2: Запускаем эти образы на самом сервере
  deploy:
-    needs: build-and-push
+    needs: scan-images
    runs-on: ubuntu-latest # Тот же локальный раннер
    steps:
      - name: Checkout repository
@@ -61,15 +61,15 @@ jobs:
          fi
          exit "${trivy_exit}"
-      # ── Build ──
+      # ── Build (includes SAST via SecurityCodeScan Roslyn analyzer) ──
      - name: Build Shared
        run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
-      - name: Build Bot (compile check)
+      - name: Build Bot (compile check, includes SAST)
        run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
-      - name: Build Web (compile check)
+      - name: Build Web (compile check, includes SAST)
        run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
      # ── Tests ──
@@ -8,4 +8,8 @@
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="SecurityCodeScan.VS2019" Version="5.6.7" PrivateAssets="all" />
  </ItemGroup>
 </Project>
Author	SHA1	Message	Date
Toutsu	11f6b1bcc9	Merge remote-tracking branch 'origin/main' into feature/trivy-security-scan PR Checks / test-and-build (pull_request) Successful in 5m50s Details	2026-05-12 12:59:49 +03:00
Toutsu	06d40fdbc8	ci: add deep SAST via SecurityCodeScan Roslyn analyzer PR Checks / security-scan (pull_request) Failing after 1m17s Details PR Checks / test-and-build (pull_request) Successful in 3m27s Details - SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props scans all C# source during every dotnet build - HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true - No extra CI step needed: analyzer runs inside every build job automatically Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 12:45:36 +03:00
Toutsu	043ed9ce45	ci: add Trivy security scanning (SAST/SCA) to pipeline PR Checks / security-scan (pull_request) Failing after 1m15s Details PR Checks / test-and-build (pull_request) Successful in 3m24s Details - PR checks: filesystem scan with Trivy (vuln, secret, misconfig) - Deploy pipeline: image scan for bot and web containers before deploy - Scans entire repository, not filtered file subsets - Bump version -> 1.14.0 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 12:42:32 +03:00
Toutsu	c9627e51a2	chore: ignore .claude and .serena directories	2026-05-11 14:29:04 +03:00