diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 6260d0b..350d1ad 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -25,6 +25,23 @@ jobs: printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts + - name: Build image for security scan + run: | + docker build -t pushkinohistory-ru-v2:scan . + + - name: Trivy image scan (HIGH+CRITICAL, warning only) + run: | + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v "$PWD":/workspace \ + ghcr.io/aquasecurity/trivy:latest \ + image \ + --severity HIGH,CRITICAL \ + --ignore-unfixed \ + --no-progress \ + --exit-code 0 \ + pushkinohistory-ru-v2:scan + - name: Deploy to web.hhivp.com run: | ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE'