This commit is contained in:
@@ -30,15 +30,19 @@ jobs:
|
||||
- name: Gitleaks
|
||||
run: |
|
||||
set +e
|
||||
docker run --rm \
|
||||
-v ${{ gitea.workspace }}:/repo \
|
||||
cid="$(docker create \
|
||||
ghcr.io/gitleaks/gitleaks:latest \
|
||||
detect \
|
||||
--source /repo \
|
||||
--report-format json \
|
||||
--report-path /repo/security-results/gitleaks.json \
|
||||
--exit-code 1
|
||||
echo "$?" > security-results/gitleaks.exit
|
||||
--exit-code 1)"
|
||||
docker cp . "$cid:/repo"
|
||||
docker start -a "$cid"
|
||||
status="$?"
|
||||
docker cp "$cid:/repo/security-results/gitleaks.json" security-results/gitleaks.json || true
|
||||
docker rm -f "$cid" >/dev/null 2>&1 || true
|
||||
echo "$status" > security-results/gitleaks.exit
|
||||
|
||||
###########################################################
|
||||
# SEMGREP
|
||||
@@ -47,16 +51,21 @@ jobs:
|
||||
- name: Semgrep
|
||||
run: |
|
||||
set +e
|
||||
docker run --rm \
|
||||
-v ${{ gitea.workspace }}:/src \
|
||||
cid="$(docker create \
|
||||
--workdir /src \
|
||||
semgrep/semgrep \
|
||||
semgrep scan \
|
||||
--config auto \
|
||||
--json \
|
||||
--output /src/security-results/semgrep.json \
|
||||
--error \
|
||||
/src
|
||||
echo "$?" > security-results/semgrep.exit
|
||||
/src)"
|
||||
docker cp . "$cid:/src"
|
||||
docker start -a "$cid"
|
||||
status="$?"
|
||||
docker cp "$cid:/src/security-results/semgrep.json" security-results/semgrep.json || true
|
||||
docker rm -f "$cid" >/dev/null 2>&1 || true
|
||||
echo "$status" > security-results/semgrep.exit
|
||||
|
||||
###########################################################
|
||||
# TRIVY FS
|
||||
@@ -65,8 +74,7 @@ jobs:
|
||||
- name: Trivy Filesystem
|
||||
run: |
|
||||
set +e
|
||||
docker run --rm \
|
||||
-v ${{ gitea.workspace }}:/workspace \
|
||||
cid="$(docker create \
|
||||
aquasec/trivy:latest \
|
||||
fs \
|
||||
--scanners vuln,secret,misconfig \
|
||||
@@ -74,8 +82,13 @@ jobs:
|
||||
--format json \
|
||||
--output /workspace/security-results/trivy-fs.json \
|
||||
--exit-code 1 \
|
||||
/workspace
|
||||
echo "$?" > security-results/trivy-fs.exit
|
||||
/workspace)"
|
||||
docker cp . "$cid:/workspace"
|
||||
docker start -a "$cid"
|
||||
status="$?"
|
||||
docker cp "$cid:/workspace/security-results/trivy-fs.json" security-results/trivy-fs.json || true
|
||||
docker rm -f "$cid" >/dev/null 2>&1 || true
|
||||
echo "$status" > security-results/trivy-fs.exit
|
||||
|
||||
###########################################################
|
||||
# DOCKER IMAGE BUILD
|
||||
@@ -100,17 +113,20 @@ jobs:
|
||||
exit 0
|
||||
fi
|
||||
|
||||
docker run --rm \
|
||||
cid="$(docker create \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-v ${{ gitea.workspace }}:/workspace \
|
||||
aquasec/trivy:latest \
|
||||
image \
|
||||
--severity HIGH,CRITICAL \
|
||||
--format json \
|
||||
--output /workspace/security-results/trivy-image.json \
|
||||
--output /tmp/trivy-image.json \
|
||||
--exit-code 1 \
|
||||
app:${{ gitea.sha }}
|
||||
echo "$?" > security-results/trivy-image.exit
|
||||
app:${{ gitea.sha }})"
|
||||
docker start -a "$cid"
|
||||
status="$?"
|
||||
docker cp "$cid:/tmp/trivy-image.json" security-results/trivy-image.json || true
|
||||
docker rm -f "$cid" >/dev/null 2>&1 || true
|
||||
echo "$status" > security-results/trivy-image.exit
|
||||
|
||||
- name: Create Gitea issues for security findings
|
||||
if: always()
|
||||
|
||||
Reference in New Issue
Block a user