mirror of
https://github.com/seanmorley15/AdventureLog.git
synced 2025-08-07 22:25:19 +02:00
75 lines
1.9 KiB
YAML
75 lines
1.9 KiB
YAML
name: Trivy Security Scans
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- development
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- development
|
|
schedule:
|
|
- cron: "0 8 * * 1" # Weekly scan on Mondays at 8 AM UTC
|
|
|
|
jobs:
|
|
filesystem-scan:
|
|
name: Trivy Filesystem Scan (Source Code)
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Scan source code (Filesystem) with Trivy
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
format: table
|
|
exit-code: 1
|
|
ignore-unfixed: true
|
|
severity: CRITICAL,HIGH
|
|
|
|
image-scan:
|
|
name: Trivy Docker Image Scan (Backend & Frontend)
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
# Optional login step (remove if you're not pushing images to GHCR)
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build backend Docker image
|
|
run: docker build -t adventurelog-backend ./backend
|
|
|
|
- name: Build frontend Docker image
|
|
run: docker build -t adventurelog-frontend ./frontend
|
|
|
|
- name: Scan backend Docker image with Trivy
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: adventurelog-backend
|
|
format: table
|
|
exit-code: 1
|
|
ignore-unfixed: true
|
|
severity: CRITICAL,HIGH
|
|
|
|
- name: Scan frontend Docker image with Trivy
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: adventurelog-frontend
|
|
format: table
|
|
exit-code: 1
|
|
ignore-unfixed: true
|
|
severity: CRITICAL,HIGH
|