From cd5f00f5415aa68eda1644399b86c75b580cfd57 Mon Sep 17 00:00:00 2001 From: Astound Date: Tue, 16 Jul 2024 12:22:32 +0800 Subject: Add trivy scan --- .gitea/workflows/release.yaml | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to '.gitea/workflows/release.yaml') diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml index 7770b5a..60112a1 100644 --- a/.gitea/workflows/release.yaml +++ b/.gitea/workflows/release.yaml @@ -30,7 +30,8 @@ jobs: username: ${{ secrets.DOCKER_REGISTRY_USER }} password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} - - name: Build and push + - name: Build Docker image + id: build-image uses: docker/build-push-action@v6 with: context: gitolite-cgit @@ -38,7 +39,30 @@ jobs: platforms: | linux/amd64 linux/386 - push: true + push: false no-cache: true tags: | rusian/gitolite-cgit:latest + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: rusian/gitolite-cgit:latest + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os' + severity: 'CRITICAL,HIGH' + + - name: Push Docker image + uses: docker/build-push-action@v6 + with: + context: gitolite-cgit + file: gitolite-cgit/Dockerfile + platforms: | + linux/amd64 + linux/386 + push: true + no-cache: false + tags: | + rusian/gitolite-cgit:latest -- cgit v1.2.3