sk4nz/skz-genesis-actions
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c8dd558ffbc5e3675b602d26270ad58541c715fa
skz-genesis-actions/.forgejo/workflows/ci.yaml
Samuel Aubertin c8dd558ffb init
2026-01-11 12:46:53 +01:00

72 lines
2.4 KiB
YAML
Raw Blame History

name: ci-workflow
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
build-and-scan:
runs-on: docker
env:
REGISTRY_HOST: ${{ vars.REGISTRY_HOST }}
IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }}
IMAGE_NAME: ${{ vars.IMAGE_NAME }}
CI_GREETING: ${{ vars.CI_GREETING }}
DEFECTDOJO_URL: ${{ vars.DEFECTDOJO_URL }}
DEFECTDOJO_PRODUCT_TYPE: ${{ vars.DEFECTDOJO_PRODUCT_TYPE }}
DEFECTDOJO_PRODUCT: ${{ vars.DEFECTDOJO_PRODUCT }}
DEFECTDOJO_ENGAGEMENT: ${{ vars.DEFECTDOJO_ENGAGEMENT }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Show variables and secrets
run: |
echo "Greeting: ${CI_GREETING}"
echo "HELLO_SECRET length: ${#HELLO_SECRET}"
env:
HELLO_SECRET: ${{ secrets.HELLO_SECRET }}
- name: Build image
run: |
IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
docker build -t "${IMAGE_REF}" .
- name: Login to Forgejo package registry
run: |
echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
- name: Push image
run: |
docker push "${IMAGE_REF}"
- name: Trivy scan (securecodebox)
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${PWD}:/workspace" \
-w /workspace \
docker.io/aquasec/trivy:0.58.1 \
image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"
- name: Upload to DefectDojo
run: |
curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
-H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
-F "scan_type=Trivy Scan" \
-F "minimum_severity=Low" \
-F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
-F "product_name=${DEFECTDOJO_PRODUCT}" \
-F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
-F "file=@trivy-results.json" \
-F "verified=true" \
-F "active=true"
env:
DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
Reference in New Issue View Git Blame Copy Permalink