fix(ci): run trivy via SSH on web (docker not in Gitea runner) #2
@@ -25,24 +25,7 @@ jobs:
|
||||
printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
|
||||
chmod 644 ~/.ssh/known_hosts
|
||||
|
||||
- name: Build image for security scan
|
||||
run: |
|
||||
docker build -t pushkinohistory-ru-v2:scan .
|
||||
|
||||
- name: Trivy image scan (HIGH+CRITICAL, warning only)
|
||||
run: |
|
||||
docker run --rm \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-v "$PWD":/workspace \
|
||||
ghcr.io/aquasecurity/trivy:latest \
|
||||
image \
|
||||
--severity HIGH,CRITICAL \
|
||||
--ignore-unfixed \
|
||||
--no-progress \
|
||||
--exit-code 0 \
|
||||
pushkinohistory-ru-v2:scan
|
||||
|
||||
- name: Deploy to web.hhivp.com
|
||||
- name: Deploy + Trivy scan to web.hhivp.com
|
||||
run: |
|
||||
ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE'
|
||||
set -euo pipefail
|
||||
@@ -63,6 +46,22 @@ jobs:
|
||||
cd "$DEPLOY_PATH"
|
||||
mkdir -p data
|
||||
docker compose build
|
||||
|
||||
# Trivy scan свежесобранного образа на хосте (docker есть здесь).
|
||||
# ghcr.io вместо docker.io — обход rate limit. HIGH/CRITICAL warning-only.
|
||||
echo "=== Trivy scan: pushkinohistory-ru-v2:latest ==="
|
||||
docker run --rm \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-v /tmp/trivy-cache:/root/.cache/ \
|
||||
ghcr.io/aquasecurity/trivy:latest image \
|
||||
--severity HIGH,CRITICAL \
|
||||
--ignore-unfixed \
|
||||
--no-progress \
|
||||
--exit-code 0 \
|
||||
--timeout 5m \
|
||||
pushkinohistory-ru-v2:latest || true
|
||||
echo "=== Trivy scan done ==="
|
||||
|
||||
docker compose up -d
|
||||
sleep 5
|
||||
docker compose ps
|
||||
|
||||
Reference in New Issue
Block a user