From 8ed3a2f3c3ba2d71c18a328fde10841d477fdda5 Mon Sep 17 00:00:00 2001 From: glenn schrooyen Date: Sat, 13 Sep 2025 14:46:22 +0200 Subject: [PATCH] Enhance CI workflows by adding Docker image builds for security scans across all services (API Docs, API Gateway, Frontend, Service Adapters); update image references for Trivy vulnerability scanning to use security scan images. Ensure consistent setup for Java, Node.js, and Python environments in respective workflows. --- .gitea/workflows/api-docs.yml | 9 +++++++-- .gitea/workflows/api-gateway.yml | 14 +++++++++++++- .gitea/workflows/docker-build.yml | 26 ++++++++++++++++++++++---- .gitea/workflows/frontend.yml | 14 ++++++++++++-- .gitea/workflows/service-adapters.yml | 14 ++++++++++++-- 5 files changed, 66 insertions(+), 11 deletions(-) diff --git a/.gitea/workflows/api-docs.yml b/.gitea/workflows/api-docs.yml index ec4a9e1..f1c9bc7 100644 --- a/.gitea/workflows/api-docs.yml +++ b/.gitea/workflows/api-docs.yml @@ -171,17 +171,22 @@ jobs: run: docker build -t api-docs:test . security: - runs-on: ubuntu-latest + runs-on: [self-hosted] needs: build steps: - name: Checkout code uses: actions/checkout@v4 + - name: Build Docker image for security scan + run: | + cd services/api-docs + docker build -t api-docs:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: api-docs:test + image-ref: api-docs:security-scan format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/api-gateway.yml b/.gitea/workflows/api-gateway.yml index 3336206..e9ce788 100644 --- a/.gitea/workflows/api-gateway.yml +++ b/.gitea/workflows/api-gateway.yml @@ -123,10 +123,22 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: maven + + - name: Build Docker image for security scan + run: | + cd services/api-gateway + docker build -t api-gateway:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: api-gateway:test + image-ref: api-gateway:security-scan format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/docker-build.yml b/.gitea/workflows/docker-build.yml index ccce5a5..ce8df45 100644 --- a/.gitea/workflows/docker-build.yml +++ b/.gitea/workflows/docker-build.yml @@ -99,14 +99,32 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Extract metadata for security scan + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,prefix={{branch}}- + type=raw,value=latest,enable={{is_default_branch}} + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: | - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ github.sha }} - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ github.sha }} - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ github.sha }} - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ github.sha }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ steps.meta.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ steps.meta.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ steps.meta.outputs.version }} + ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ steps.meta.outputs.version }} format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/frontend.yml b/.gitea/workflows/frontend.yml index 0b3a120..6328c24 100644 --- a/.gitea/workflows/frontend.yml +++ b/.gitea/workflows/frontend.yml @@ -153,17 +153,27 @@ jobs: temporaryPublicStorage: true security: - runs-on: ubuntu-latest + runs-on: [self-hosted] needs: build steps: - name: Checkout code uses: actions/checkout@v4 + - name: Set up Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + + - name: Build Docker image for security scan + run: | + cd frontend + docker build -t frontend:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: frontend:test + image-ref: frontend:security-scan format: 'sarif' output: 'trivy-results.sarif' diff --git a/.gitea/workflows/service-adapters.yml b/.gitea/workflows/service-adapters.yml index c3feb7f..4042858 100644 --- a/.gitea/workflows/service-adapters.yml +++ b/.gitea/workflows/service-adapters.yml @@ -130,17 +130,27 @@ jobs: run: docker build -t service-adapters:test . security: - runs-on: ubuntu-latest + runs-on: [self-hosted] needs: build steps: - name: Checkout code uses: actions/checkout@v4 + - name: Set up Python 3.11 + uses: actions/setup-python@v4 + with: + python-version: '3.11' + + - name: Build Docker image for security scan + run: | + cd services/service-adapters + docker build -t service-adapters:security-scan . + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: service-adapters:test + image-ref: service-adapters:security-scan format: 'sarif' output: 'trivy-results.sarif'