diff --git a/.gitea/workflows/publish-docker.yml b/.gitea/workflows/publish-docker.yml index 6272d2c..afbb72f 100644 --- a/.gitea/workflows/publish-docker.yml +++ b/.gitea/workflows/publish-docker.yml @@ -41,25 +41,25 @@ jobs: load: true # This loads the image into the local docker daemon for Trivy to find tags: local_scan_target:${{ github.sha }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'local_scan_target:${{ github.sha }}' - format: 'table' - exit-code: '1' # This will fail the pipeline if vulnerabilities are found - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - server-url: 'http://trivy-server:8080' - env: - - DOCKER_HOST: unix:///var/run/docker.sock - - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }} - - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }} +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: 'local_scan_target:${{ github.sha }}' +# format: 'table' +# exit-code: '1' # This will fail the pipeline if vulnerabilities are found +# ignore-unfixed: true +# vuln-type: 'os,library' +# severity: 'CRITICAL,HIGH' +# server-url: 'http://trivy-server:8080' +# env: +# - DOCKER_HOST: unix:///var/run/docker.sock +# - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }} +# - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }} -# - name: Run Trivy scanner (Binary Mode) -# run: | -# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin -# trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed local_scan_target:${{ github.sha }} + - name: Run Trivy scanner (Binary Mode) + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }} # Step 3: If scan passes, Build and Push to Registry - name: Build and push Docker image