name: ci-workflow on: push: branches: - master workflow_dispatch: {} jobs: build-and-scan: runs-on: docker env: REGISTRY_HOST: ${{ vars.REGISTRY_HOST }} IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} IMAGE_NAME: ${{ vars.IMAGE_NAME }} CI_GREETING: ${{ vars.CI_GREETING }} DEFECTDOJO_URL: ${{ vars.DEFECTDOJO_URL }} DEFECTDOJO_PRODUCT_TYPE: ${{ vars.DEFECTDOJO_PRODUCT_TYPE }} DEFECTDOJO_PRODUCT: ${{ vars.DEFECTDOJO_PRODUCT }} DEFECTDOJO_ENGAGEMENT: ${{ vars.DEFECTDOJO_ENGAGEMENT }} steps: - name: Checkout uses: https://data.forgejo.org/actions/checkout@v6 with: fetch-depth: 0 - name: Show variables and secrets run: | echo "Greeting: ${CI_GREETING}" echo "HELLO_SECRET length: ${#HELLO_SECRET}" env: HELLO_SECRET: ${{ secrets.HELLO_SECRET }} - name: Install docker CLI run: | apt-get update apt-get install -y docker.io - name: Build image run: | IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}" echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}" docker build -t "${IMAGE_REF}" . - name: Login to Forgejo package registry run: | echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin env: REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} - name: Push image run: | docker push "${IMAGE_REF}" - name: Trivy scan (securecodebox) run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "${PWD}:/workspace" \ -w /workspace \ docker.io/aquasec/trivy:0.58.1 \ image --no-progress --format json --output trivy-results.json "${IMAGE_REF}" - name: Upload to DefectDojo run: | curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \ -H "Authorization: Token ${DEFECTDOJO_API_KEY}" \ -F "scan_type=Trivy Scan" \ -F "minimum_severity=Low" \ -F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \ -F "product_name=${DEFECTDOJO_PRODUCT}" \ -F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \ -F "file=@trivy-results.json" \ -F "verified=true" \ -F "active=true" env: DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}