diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 784975c..b95f2af 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -42,6 +42,21 @@ jobs: cd "$DEPLOY_PATH" docker compose build + + # Trivy scan локально собранного образа (HIGH+CRITICAL, не блокирует). + # ghcr.io вместо docker.io — обход rate limit Docker Hub. + echo "=== Trivy scan: anotherreflections-ru-v2:latest ===" + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /tmp/trivy-cache:/root/.cache/ \ + ghcr.io/aquasecurity/trivy:latest image \ + --severity HIGH,CRITICAL \ + --no-progress \ + --exit-code 0 \ + --timeout 5m \ + anotherreflections-ru-v2:latest || true + echo "=== Trivy scan done ===" + docker compose up -d sleep 5 docker compose ps