From bafd42b7742392293c61a7e17000ba57987eb718 Mon Sep 17 00:00:00 2001 From: striker Date: Thu, 21 May 2026 13:42:46 +0300 Subject: [PATCH] ci: add Trivy image scan to Gitea Actions --- .gitea/workflows/deploy.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 6260d0b..350d1ad 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -25,6 +25,23 @@ jobs: printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts + - name: Build image for security scan + run: | + docker build -t pushkinohistory-ru-v2:scan . + + - name: Trivy image scan (HIGH+CRITICAL, warning only) + run: | + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v "$PWD":/workspace \ + ghcr.io/aquasecurity/trivy:latest \ + image \ + --severity HIGH,CRITICAL \ + --ignore-unfixed \ + --no-progress \ + --exit-code 0 \ + pushkinohistory-ru-v2:scan + - name: Deploy to web.hhivp.com run: | ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE'