fixing security scan mount points

.gitea/workflows/security.yaml

@@ -30,15 +30,19 @@ jobs:
       - name: Gitleaks
         run: |
           set +e
-          docker run --rm \
+          cid="$(docker create \
-            -v ${{ gitea.workspace }}:/repo \
             ghcr.io/gitleaks/gitleaks:latest \
             detect \
             --source /repo \
             --report-format json \
             --report-path /repo/security-results/gitleaks.json \
-            --exit-code 1
+            --exit-code 1)"
-          echo "$?" > security-results/gitleaks.exit
+          docker cp . "$cid:/repo"
+          docker start -a "$cid"
+          status="$?"
+          docker cp "$cid:/repo/security-results/gitleaks.json" security-results/gitleaks.json || true
+          docker rm -f "$cid" >/dev/null 2>&1 || true
+          echo "$status" > security-results/gitleaks.exit
 
       ###########################################################
       # SEMGREP
@@ -47,16 +51,21 @@ jobs:
       - name: Semgrep
         run: |
           set +e
-          docker run --rm \
+          cid="$(docker create \
-            -v ${{ gitea.workspace }}:/src \
+            --workdir /src \
             semgrep/semgrep \
             semgrep scan \
             --config auto \
             --json \
             --output /src/security-results/semgrep.json \
             --error \
-            /src
+            /src)"
-          echo "$?" > security-results/semgrep.exit
+          docker cp . "$cid:/src"
+          docker start -a "$cid"
+          status="$?"
+          docker cp "$cid:/src/security-results/semgrep.json" security-results/semgrep.json || true
+          docker rm -f "$cid" >/dev/null 2>&1 || true
+          echo "$status" > security-results/semgrep.exit
 
       ###########################################################
       # TRIVY FS
@@ -65,8 +74,7 @@ jobs:
       - name: Trivy Filesystem
         run: |
           set +e
-          docker run --rm \
+          cid="$(docker create \
-            -v ${{ gitea.workspace }}:/workspace \
             aquasec/trivy:latest \
             fs \
             --scanners vuln,secret,misconfig \
@@ -74,8 +82,13 @@ jobs:
             --format json \
             --output /workspace/security-results/trivy-fs.json \
             --exit-code 1 \
-            /workspace
+            /workspace)"
-          echo "$?" > security-results/trivy-fs.exit
+          docker cp . "$cid:/workspace"
+          docker start -a "$cid"
+          status="$?"
+          docker cp "$cid:/workspace/security-results/trivy-fs.json" security-results/trivy-fs.json || true
+          docker rm -f "$cid" >/dev/null 2>&1 || true
+          echo "$status" > security-results/trivy-fs.exit
 
       ###########################################################
       # DOCKER IMAGE BUILD
@@ -100,17 +113,20 @@ jobs:
             exit 0
           fi
 
-          docker run --rm \
+          cid="$(docker create \
             -v /var/run/docker.sock:/var/run/docker.sock \
-            -v ${{ gitea.workspace }}:/workspace \
             aquasec/trivy:latest \
             image \
             --severity HIGH,CRITICAL \
             --format json \
-            --output /workspace/security-results/trivy-image.json \
+            --output /tmp/trivy-image.json \
             --exit-code 1 \
-            app:${{ gitea.sha }}
+            app:${{ gitea.sha }})"
-          echo "$?" > security-results/trivy-image.exit
+          docker start -a "$cid"
+          status="$?"
+          docker cp "$cid:/tmp/trivy-image.json" security-results/trivy-image.json || true
+          docker rm -f "$cid" >/dev/null 2>&1 || true
+          echo "$status" > security-results/trivy-image.exit
 
       - name: Create Gitea issues for security findings
         if: always()