ci: [KAN-137] add trivy scan #109
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Zap Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| generate-env: | |
| name: Generate .env file | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate .env file | |
| run: | | |
| echo "MYSQL_PASSWORD=${{ secrets.MYSQL_PASSWORD }}" >> env-file | |
| echo "SMTP_PASSWORD=${{ secrets.SMTP_PASSWORD }}" >> env-file | |
| echo "SMTP_EMAIL_FROM=${{ secrets.SMTP_EMAIL_FROM }}" >> env-file | |
| echo "JWT_SECRET=${{ secrets.JWT_SECRET }}" >> env-file | |
| - name: Upload env-file as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: env-file | |
| path: env-file | |
| zap: | |
| name: ZAP Scan | |
| runs-on: ubuntu-latest | |
| needs: | |
| - generate-env | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 | |
| - name: Download .env file | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: env-file | |
| path: . | |
| - name: Build and run Docker Compose | |
| run: | | |
| docker compose -f .github/ci/docker-compose.yml --env-file env-file up --build -d | |
| timeout 180 bash -c 'until curl -f http://localhost:8080/user-ms/v1/ping; do sleep 2; done' | |
| - name: Check Docker Compose Logs | |
| if: always() | |
| run: | | |
| docker compose -f .github/ci/docker-compose.yml ps ceramicraft-user-mservice | |
| docker compose -f .github/ci/docker-compose.yml logs ceramicraft-user-mservice | |
| - name: Run ZAP Scan | |
| uses: zaproxy/action-full-scan@75ee1686750ab1511a73b26b77a2aedd295053ed | |
| with: | |
| target: 'http://localhost:8080' # ZAP accesses the host-mapped port | |
| cmd_options: '-s' | |
| fail_action: false # Do not fail CI even if vulnerabilities are found | |
| allow_issue_writing: false # Disable automatic creation of GitHub Issues | |
| issue_title: 'ZAP Security Scan Alert' | |
| artifact_name: 'zap-report' # Attachment report | |
| - name: Tear down | |
| if: always() | |
| run: docker compose -f .github/ci/docker-compose.yml down --volumes --remove-orphans |