From 3fa659fb7dc0b5c0cad062fe04b8fa6b26aa70e9 Mon Sep 17 00:00:00 2001 From: Dmitry Gusev Date: Thu, 21 May 2026 13:45:24 +0300 Subject: [PATCH] ci: add Trivy image scan to Gitea Actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Между `docker compose build` и `docker compose up -d` сканируется свежий образ `anotherreflections-ru-v2:latest`. Severity HIGH+CRITICAL, exit-code 0 (не блокирует деплой первое время). Образ Trivy с ghcr.io — обход Docker Hub rate limit (как в hhivp-website коммит 0189256). --- .gitea/workflows/deploy.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 784975c..b95f2af 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -42,6 +42,21 @@ jobs: cd "$DEPLOY_PATH" docker compose build + + # Trivy scan локально собранного образа (HIGH+CRITICAL, не блокирует). + # ghcr.io вместо docker.io — обход rate limit Docker Hub. + echo "=== Trivy scan: anotherreflections-ru-v2:latest ===" + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /tmp/trivy-cache:/root/.cache/ \ + ghcr.io/aquasecurity/trivy:latest image \ + --severity HIGH,CRITICAL \ + --no-progress \ + --exit-code 0 \ + --timeout 5m \ + anotherreflections-ru-v2:latest || true + echo "=== Trivy scan done ===" + docker compose up -d sleep 5 docker compose ps