anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add bandit, pip-audit and trivy to CI/CD security pipeline
Some checks failed
CI / Lint (ruff) (push) Failing after 10s
Details
CI / Test (pytest) (3.11) (push) Failing after 39s
Details
CI / Test (pytest) (3.12) (push) Failing after 1m4s
Details
Security / SAST (bandit) (push) Successful in 11s
Details
Security / Dependency audit (pip-audit) (push) Successful in 18s
Details

Browse Source
This commit is contained in:
anti
2026-04-04 17:24:43 -03:00
parent b3b3597011
commit fe7354554f
3 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.gitea/workflows/release.yml
View File

@@ -42,7 +42,7 @@ jobs:
fi
docker:
name: Build & push ${{ matrix.service }}
name: Build, scan & push ${{ matrix.service }}
runs-on: ubuntu-latest
needs: tag
strategy:
@@ -76,6 +76,9 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Gitea container registry
uses: docker/login-action@v3
with:
@@ -83,7 +86,26 @@ jobs:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push
- name: Build image locally
uses: docker/build-push-action@v5
with:
context: templates/${{ matrix.service }}
load: true
push: false
tags: decnet-${{ matrix.service }}:scan
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: decnet-${{ matrix.service }}:scan
exit-code: "1"
severity: CRITICAL
ignore-unfixed: true
- name: Push image
if: success()
uses: docker/build-push-action@v5
with:
context: templates/${{ matrix.service }}
@@ -91,3 +113,4 @@ jobs:
tags: |
${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:latest
${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:v${{ needs.tag.outputs.version }}
cache-from: type=gha