Jakach/jakach-login
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.gitea/workflows/delpoy.yml aktualisiert
Deploy / security_scan (push) Successful in 9s
Details
Deploy / code_scan (push) Successful in 20s
Details
Deploy / deploy (push) Successful in 2m5s
Details

Browse Source
This commit is contained in:
janis
2026-05-20 18:03:25 +00:00
parent 8766e534df
commit d1025134cd
1 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/delpoy.yml
+26 -3
View File
@@ -29,6 +29,8 @@ jobs:
env: env:
GIT_USER: ${{ vars.GIT_USER }} GIT_USER: ${{ vars.GIT_USER }}
GIT_TOKEN: ${{ secrets.GIT_TOKEN }} GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
TRIVY_REGISTRY_USER: ${{ vars.TRIVY_REGISTRY_USER }}
TRIVY_REGISTRY_PASSWORD: ${{ secrets.TRIVY_REGISTRY_PASSWORD }}
steps: steps:
- name: Scan Docker images for vulnerabilities - name: Scan Docker images for vulnerabilities
@@ -108,6 +110,12 @@ jobs:
exit 0 exit 0
fi fi
if [ -n "${TRIVY_REGISTRY_USER:-}" ] || [ -n "${TRIVY_REGISTRY_PASSWORD:-}" ]; then
: "${TRIVY_REGISTRY_USER:?TRIVY_REGISTRY_USER is required when TRIVY_REGISTRY_PASSWORD is set}"
: "${TRIVY_REGISTRY_PASSWORD:?TRIVY_REGISTRY_PASSWORD is required when TRIVY_REGISTRY_USER is set}"
echo "Using registry credentials from TRIVY_REGISTRY_USER/TRIVY_REGISTRY_PASSWORD"
fi
TRIVY_IGNORE_ARGS="" TRIVY_IGNORE_ARGS=""
if [ -f cve_blacklist.txt ]; then if [ -f cve_blacklist.txt ]; then
@@ -137,7 +145,22 @@ jobs:
echo "" echo ""
echo "Scanning ${image}" echo "Scanning ${image}"
if ! trivy \ if [ -n "${TRIVY_REGISTRY_USER:-}" ]; then
if ! trivy \
image \
--username "${TRIVY_REGISTRY_USER}" \
--password "${TRIVY_REGISTRY_PASSWORD}" \
--scanners "${TRIVY_IMAGE_SCANNERS}" \
--vex "${TRIVY_VEX}" \
--exit-code 1 \
--severity "${TRIVY_SEVERITY}" \
--ignore-unfixed \
${TRIVY_IGNORE_ARGS} \
--no-progress \
"${image}"; then
failed=1
fi
elif ! trivy \
image \ image \
--scanners "${TRIVY_IMAGE_SCANNERS}" \ --scanners "${TRIVY_IMAGE_SCANNERS}" \
--vex "${TRIVY_VEX}" \ --vex "${TRIVY_VEX}" \
@@ -147,12 +170,12 @@ jobs:
${TRIVY_IGNORE_ARGS} \ ${TRIVY_IGNORE_ARGS} \
--no-progress \ --no-progress \
"${image}"; then "${image}"; then
failed=1 failed=1
fi fi
done < images.txt done < images.txt
if [ "$failed" -ne 0 ]; then if [ "$failed" -ne 0 ]; then
echo "WARNING: High or critical vulnerabilities were found in one or more Docker images. Deployment stopped." echo "WARNING: One or more Docker image scans failed or found ${TRIVY_SEVERITY} vulnerabilities. Deployment stopped."
exit 1 exit 1
fi fi