sk4nz/skz-genesis-actions
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9393f06049e39c457f5e4a224101e1eca7a4eb2a
skz-genesis-actions/.forgejo/workflows/ci.yaml
Samuel Aubertin 9393f06049 change vars to secret
2026-01-11 17:50:31 +01:00

80 lines
2.6 KiB
YAML
Raw Blame History

name: ci-workflow
on:
push:
branches:
- master
workflow_dispatch: {}
jobs:
build-and-scan:
runs-on: docker
env:
REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
IMAGE_NAMESPACE: ${{ secrets.IMAGE_NAMESPACE }}
IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
CI_GREETING: ${{ secrets.CI_GREETING }}
DEFECTDOJO_URL: ${{ secrets.DEFECTDOJO_URL }}
DEFECTDOJO_PRODUCT_TYPE: ${{ secrets.DEFECTDOJO_PRODUCT_TYPE }}
DEFECTDOJO_PRODUCT: ${{ secrets.DEFECTDOJO_PRODUCT }}
DEFECTDOJO_ENGAGEMENT: ${{ secrets.DEFECTDOJO_ENGAGEMENT }}
steps:
- name: Checkout
uses: https://data.forgejo.org/actions/checkout@v6
with:
fetch-depth: 0
- name: Show variables and secrets
run: |
echo "Greeting: ${CI_GREETING}"
echo "HELLO_SECRET length: ${#HELLO_SECRET}"
env:
HELLO_SECRET: ${{ secrets.HELLO_SECRET }}
- name: Install docker CLI
run: |
apt-get update
apt-get install -y docker.io
- name: Build image
run: |
IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
docker build -t "${IMAGE_REF}" .
- name: Login to Forgejo package registry
run: |
echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
- name: Push image
run: |
docker push "${IMAGE_REF}"
- name: Trivy scan (securecodebox)
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${PWD}:/workspace" \
-w /workspace \
docker.io/aquasec/trivy:0.58.1 \
image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"
- name: Upload to DefectDojo
run: |
curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
-H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
-F "scan_type=Trivy Scan" \
-F "minimum_severity=Low" \
-F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
-F "product_name=${DEFECTDOJO_PRODUCT}" \
-F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
-F "file=@trivy-results.json" \
-F "verified=true" \
-F "active=true"
env:
DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
Reference in New Issue View Git Blame Copy Permalink