add trivy scan to pipeline

2025-09-29 16:27:19 +10:00 · 2025-09-29 16:27:19 +10:00 · d2a36f6d99
commit d2a36f6d99
parent ab23eec10b
1 changed files with 61 additions and 51 deletions
--- a/.gitea/workflows/build_push.yml
+++ b/.gitea/workflows/build_push.yml
@ -1,61 +1,71 @@
 name: Build and Push Image
 on:
-    push:
-        branches:
-            - master
+  push:
+    branches:
+      - master

 jobs:
-    build:
-        name: Build and push image
-        runs-on: ubuntu-latest
-        container: catthehacker/ubuntu:act-latest
-        if: gitea.ref == 'refs/heads/master'
+  build:
+    name: Build and push image
+    runs-on: ubuntu-latest
+    container: catthehacker/ubuntu:act-latest
+    if: gitea.ref == 'refs/heads/master'

-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4

-            - name: Create Kubeconfig
-              run: |
-                  mkdir $HOME/.kube
-                  echo "${{ secrets.KUBEC_CONFIG_BUILDX_NEW }}" > $HOME/.kube/config
+      - name: Create Kubeconfig
+        run: |
+          mkdir $HOME/.kube
+          echo "${{ secrets.KUBEC_CONFIG_BUILDX_NEW }}" > $HOME/.kube/config

-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
-              with:
-                  driver: kubernetes
-                  driver-opts: |
-                      namespace=gitea-runner
-                      qemu.install=true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: kubernetes
+          driver-opts: |
+            namespace=gitea-runner
+            qemu.install=true

-            - name: Login to Docker Registry
-              uses: docker/login-action@v3
-              with:
-                  registry: git.aridgwayweb.com
-                  username: armistace
-                  password: ${{ secrets.REG_PASSWORD }}
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.aridgwayweb.com
+          username: armistace
+          password: ${{ secrets.REG_PASSWORD }}

-            - name: Build and push
-              uses: docker/build-push-action@v5
-              with:
-                  context: .
-                  push: true
-                  platforms: linux/amd64,linux/arm64
-                  tags: |
-                      git.aridgwayweb.com/armistace/blog:latest
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            git.aridgwayweb.com/armistace/blog:latest

-            - name: Deploy
-              run: |
-                  echo "Installing Kubectl"
-                  apt-get update
-                  apt-get install -y apt-transport-https ca-certificates curl gnupg
-                  curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
-                  chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg
-                  echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
-                  chmod 644 /etc/apt/sources.list.d/kubernetes.list
-                  apt-get update
-                  apt-get install kubectl
-                  kubectl delete namespace blog
-                  kubectl create namespace blog
-                  kubectl create secret docker-registry regcred --docker-server=${{ vars.DOCKER_SERVER }} --docker-username=${{ vars.DOCKER_USERNAME }} --docker-password='${{ secrets.DOCKER_PASSWORD }}' --docker-email=${{ vars.DOCKER_EMAIL }} --namespace=blog
-                  kubectl apply -f kube/blog_pod.yaml && kubectl apply -f kube/blog_deployment.yaml && kubectl apply -f kube/blog_service.yaml
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ vars.DOCKER_SERVER }}/${{ vars.DOCKER_USERNAME }}/blog:latest
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: HIGH,CRITICAL
+
+      - name: Deploy
+        run: |
+          echo "Installing Kubectl"
+          apt-get update
+          apt-get install -y apt-transport-https ca-certificates curl gnupg
+          curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+          chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+          echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
+          chmod 644 /etc/apt/sources.list.d/kubernetes.list
+          apt-get update
+          apt-get install kubectl
+          kubectl delete namespace blog
+          kubectl create namespace blog
+          kubectl create secret docker-registry regcred --docker-server=${{ vars.DOCKER_SERVER }} --docker-username=${{ vars.DOCKER_USERNAME }} --docker-password='${{ secrets.DOCKER_PASSWORD }}' --docker-email=${{ vars.DOCKER_EMAIL }} --namespace=blog
+          kubectl apply -f kube/blog_pod.yaml && kubectl apply -f kube/blog_deployment.yaml && kubectl apply -f kube/blog_service.yaml