Fix image security scan intent

2025-07-03 09:41:03 -06:00
parent 9bcb07f846
commit 900d310edf
1 changed files with 67 additions and 67 deletions
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@ -157,73 +157,73 @@ jobs:
          echo "SBOM attached successfully to image digest: ${IMAGE_DIGEST}"

  # Job 4: Image Security Scan
-scan:
-  name: 🛡️ Image Security Scan
-  runs-on: ubuntu-latest
-  needs: build
-  if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-  steps:
-    - name: Login to Harbor Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ${{ env.REGISTRY }}
-        username: ${{ secrets.HARBOR_USERNAME }}
-        password: ${{ secrets.HARBOR_TOKEN }}
+  scan:
+    name: 🛡️ Image Security Scan
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Login to Harbor Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_TOKEN }}
      
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
-      with:
-        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-        format: 'sarif'
-        output: 'trivy-results.sarif'
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
      
-    - name: Generate JSON scan results
-      uses: aquasecurity/trivy-action@master
-      with:
-        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-        format: 'json'
-        output: 'trivy-results.json'
+      - name: Generate JSON scan results
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'json'
+          output: 'trivy-results.json'
      
-    - name: Upload scan results artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: trivy-scan-results
-        path: |
-          trivy-results.sarif
-          trivy-results.json
+      - name: Upload scan results artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy-scan-results
+          path: |
+            trivy-results.sarif
+            trivy-results.json
      
-    - name: Attach scan results to Harbor image
-      run: |
-        # Install ORAS
-        curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
-        tar -xzf oras_1.1.0_linux_amd64.tar.gz
-        sudo mv oras /usr/local/bin/
+      - name: Attach scan results to Harbor image
+        run: |
+          # Install ORAS
+          curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
+          tar -xzf oras_1.1.0_linux_amd64.tar.gz
+          sudo mv oras /usr/local/bin/
          
-        # Get the image digest from the build job
-        IMAGE_DIGEST="${{ needs.build.outputs.digest }}"
+          # Get the image digest from the build job
+          IMAGE_DIGEST="${{ needs.build.outputs.digest }}"
          
-        # Attach SARIF scan results
-        oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
-          --artifact-type application/sarif+json \
-          trivy-results.sarif:application/sarif+json
+          # Attach SARIF scan results
+          oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
+            --artifact-type application/sarif+json \
+            trivy-results.sarif:application/sarif+json
          
-        # Attach JSON scan results
-        oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
-          --artifact-type application/json \
-          trivy-results.json:application/json \
-          --annotation "scan.type=vulnerability" \
-          --annotation "scan.tool=trivy"
+          # Attach JSON scan results
+          oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
+            --artifact-type application/json \
+            trivy-results.json:application/json \
+            --annotation "scan.type=vulnerability" \
+            --annotation "scan.tool=trivy"
          
-        echo "Scan results attached successfully to image digest: ${IMAGE_DIGEST}"
+          echo "Scan results attached successfully to image digest: ${IMAGE_DIGEST}"
      
-    - name: Check for HIGH/CRITICAL vulnerabilities
-      uses: aquasecurity/trivy-action@master
-      with:
-        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-        format: 'json'
-        output: 'trivy-critical.json'
-        exit-code: '1'
-        severity: 'HIGH,CRITICAL'
+      - name: Check for HIGH/CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'json'
+          output: 'trivy-critical.json'
+          exit-code: '1'
+          severity: 'HIGH,CRITICAL'

  # # Job 5: Deploy to Development
  # deploy-dev: