init

2026-01-11 12:46:53 +01:00
commit c8dd558ffb
4 changed files with 86 additions and 0 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -0,0 +1,71 @@
+name: ci-workflow
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch: {}
+
+jobs:
+  build-and-scan:
+    runs-on: docker
+    env:
+      REGISTRY_HOST: ${{ vars.REGISTRY_HOST }}
+      IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }}
+      IMAGE_NAME: ${{ vars.IMAGE_NAME }}
+      CI_GREETING: ${{ vars.CI_GREETING }}
+      DEFECTDOJO_URL: ${{ vars.DEFECTDOJO_URL }}
+      DEFECTDOJO_PRODUCT_TYPE: ${{ vars.DEFECTDOJO_PRODUCT_TYPE }}
+      DEFECTDOJO_PRODUCT: ${{ vars.DEFECTDOJO_PRODUCT }}
+      DEFECTDOJO_ENGAGEMENT: ${{ vars.DEFECTDOJO_ENGAGEMENT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Show variables and secrets
+        run: |
+          echo "Greeting: ${CI_GREETING}"
+          echo "HELLO_SECRET length: ${#HELLO_SECRET}"
+        env:
+          HELLO_SECRET: ${{ secrets.HELLO_SECRET }}
+
+      - name: Build image
+        run: |
+          IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
+          echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
+          docker build -t "${IMAGE_REF}" .
+
+      - name: Login to Forgejo package registry
+        run: |
+          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Push image
+        run: |
+          docker push "${IMAGE_REF}"
+
+      - name: Trivy scan (securecodebox)
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v "${PWD}:/workspace" \
+            -w /workspace \
+            docker.io/aquasec/trivy:0.58.1 \
+            image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"
+
+      - name: Upload to DefectDojo
+        run: |
+          curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
+            -H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
+            -F "scan_type=Trivy Scan" \
+            -F "minimum_severity=Low" \
+            -F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
+            -F "product_name=${DEFECTDOJO_PRODUCT}" \
+            -F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
+            -F "file=@trivy-results.json" \
+            -F "verified=true" \
+            -F "active=true"
+        env:
+          DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}