add trivy scan to pipeline

2025-09-29 16:27:19 +10:00 · 2025-09-29 16:27:19 +10:00 · d2a36f6d99
commit d2a36f6d99
parent ab23eec10b
1 changed files with 61 additions and 51 deletions
--- a/.gitea/workflows/build_push.yml
+++ b/.gitea/workflows/build_push.yml
@ -1,61 +1,71 @@
 name: Build and Push Image
 on:
-    push:
+  push:
-        branches:
+    branches:
-            - master
+      - master
 jobs:
-    build:
+  build:
-        name: Build and push image
+    name: Build and push image
-        runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-        container: catthehacker/ubuntu:act-latest
+    container: catthehacker/ubuntu:act-latest
-        if: gitea.ref == 'refs/heads/master'
+    if: gitea.ref == 'refs/heads/master'
-        steps:
+    steps:
-            - name: Checkout
+      - name: Checkout
-              uses: actions/checkout@v4
+        uses: actions/checkout@v4
-            - name: Create Kubeconfig
+      - name: Create Kubeconfig
-              run: |
+        run: |
-                  mkdir $HOME/.kube
+          mkdir $HOME/.kube
-                  echo "${{ secrets.KUBEC_CONFIG_BUILDX_NEW }}" > $HOME/.kube/config
+          echo "${{ secrets.KUBEC_CONFIG_BUILDX_NEW }}" > $HOME/.kube/config
-            - name: Set up Docker Buildx
+      - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3
-              with:
+        with:
-                  driver: kubernetes
+          driver: kubernetes
-                  driver-opts: |
+          driver-opts: |
-                      namespace=gitea-runner
+            namespace=gitea-runner
-                      qemu.install=true
+            qemu.install=true
-            - name: Login to Docker Registry
+      - name: Login to Docker Registry
-              uses: docker/login-action@v3
+        uses: docker/login-action@v3
-              with:
+        with:
-                  registry: git.aridgwayweb.com
+          registry: git.aridgwayweb.com
-                  username: armistace
+          username: armistace
-                  password: ${{ secrets.REG_PASSWORD }}
+          password: ${{ secrets.REG_PASSWORD }}
-            - name: Build and push
+      - name: Build and push
-              uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v5
-              with:
+        with:
-                  context: .
+          context: .
-                  push: true
+          push: true
-                  platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64
-                  tags: |
+          tags: |
-                      git.aridgwayweb.com/armistace/blog:latest
+            git.aridgwayweb.com/armistace/blog:latest
-            - name: Deploy
+      - name: Trivy Scan
-              run: |
+        uses: aquasecurity/trivy-action@0.28.0
-                  echo "Installing Kubectl"
+        with:
-                  apt-get update
+          image-ref: ${{ vars.DOCKER_SERVER }}/${{ vars.DOCKER_USERNAME }}/blog:latest
-                  apt-get install -y apt-transport-https ca-certificates curl gnupg
+          format: table
-                  curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+          exit-code: 1
-                  chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+          ignore-unfixed: true
-                  echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
+          vuln-type: os,library
-                  chmod 644 /etc/apt/sources.list.d/kubernetes.list
+          severity: HIGH,CRITICAL
-                  apt-get update
+
-                  apt-get install kubectl
+      - name: Deploy
-                  kubectl delete namespace blog
+        run: |
-                  kubectl create namespace blog
+          echo "Installing Kubectl"
-                  kubectl create secret docker-registry regcred --docker-server=${{ vars.DOCKER_SERVER }} --docker-username=${{ vars.DOCKER_USERNAME }} --docker-password='${{ secrets.DOCKER_PASSWORD }}' --docker-email=${{ vars.DOCKER_EMAIL }} --namespace=blog
+          apt-get update
-                  kubectl apply -f kube/blog_pod.yaml && kubectl apply -f kube/blog_deployment.yaml && kubectl apply -f kube/blog_service.yaml
+          apt-get install -y apt-transport-https ca-certificates curl gnupg
          curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
          chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg
          echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
          chmod 644 /etc/apt/sources.list.d/kubernetes.list
          apt-get update
          apt-get install kubectl
          kubectl delete namespace blog
          kubectl create namespace blog
          kubectl create secret docker-registry regcred --docker-server=${{ vars.DOCKER_SERVER }} --docker-username=${{ vars.DOCKER_USERNAME }} --docker-password='${{ secrets.DOCKER_PASSWORD }}' --docker-email=${{ vars.DOCKER_EMAIL }} --namespace=blog
          kubectl apply -f kube/blog_pod.yaml && kubectl apply -f kube/blog_deployment.yaml && kubectl apply -f kube/blog_service.yaml