diff --git a/.gitea/workflows/api-docs.yml b/.gitea/workflows/api-docs.yml index ec4a9e1..f1c9bc7 100644 --- a/.gitea/workflows/api-docs.yml +++ b/.gitea/workflows/api-docs.yml @@ -171,17 +171,22 @@ jobs: run: docker build -t api-docs:test . security: - runs-on: ubuntu-latest + runs-on: [self-hosted] needs: build steps: - name: Checkout code uses: actions/checkout@v4 + - name: Build Docker image for security scan + run: | + cd services/api-docs + docker build -t api-docs:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: api-docs:test + image-ref: api-docs:security-scan format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/api-gateway.yml b/.gitea/workflows/api-gateway.yml index 3336206..e9ce788 100644 --- a/.gitea/workflows/api-gateway.yml +++ b/.gitea/workflows/api-gateway.yml @@ -123,10 +123,22 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: maven + + - name: Build Docker image for security scan + run: | + cd services/api-gateway + docker build -t api-gateway:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: api-gateway:test + image-ref: api-gateway:security-scan format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/docker-build.yml b/.gitea/workflows/docker-build.yml index ccce5a5..ce8df45 100644 --- a/.gitea/workflows/docker-build.yml +++ b/.gitea/workflows/docker-build.yml @@ -99,14 +99,32 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Extract metadata for security scan + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,prefix={{branch}}- + type=raw,value=latest,enable={{is_default_branch}} + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: | - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ github.sha }} - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ github.sha }} - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ github.sha }} - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ github.sha }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ steps.meta.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ steps.meta.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ steps.meta.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ steps.meta.outputs.version }} format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/frontend.yml b/.gitea/workflows/frontend.yml index 0b3a120..6328c24 100644 --- a/.gitea/workflows/frontend.yml +++ b/.gitea/workflows/frontend.yml @@ -153,17 +153,27 @@ jobs: temporaryPublicStorage: true security: - runs-on: ubuntu-latest + runs-on: [self-hosted] needs: build steps: - name: Checkout code uses: actions/checkout@v4 + - name: Set up Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + + - name: Build Docker image for security scan + run: | + cd frontend + docker build -t frontend:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: frontend:test + image-ref: frontend:security-scan format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/service-adapters.yml b/.gitea/workflows/service-adapters.yml index c3feb7f..4042858 100644 --- a/.gitea/workflows/service-adapters.yml +++ b/.gitea/workflows/service-adapters.yml @@ -130,17 +130,27 @@ jobs: run: docker build -t service-adapters:test . security: - runs-on: ubuntu-latest + runs-on: [self-hosted] needs: build steps: - name: Checkout code uses: actions/checkout@v4 + - name: Set up Python 3.11 + uses: actions/setup-python@v4 + with: + python-version: '3.11' + + - name: Build Docker image for security scan + run: | + cd services/service-adapters + docker build -t service-adapters:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: service-adapters:test + image-ref: service-adapters:security-scan format: 'sarif' output: 'trivy-results.sarif'