feat: got it all now I think

2025-12-11 15:11:46 -08:00
parent d98df0fe8c
commit 08fb8ae470
1 changed files with 2 additions and 14 deletions
@@ -20,7 +20,6 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

-      # Manually install Trivy (workaround for Gitea Actions not supporting node24)
      - name: Install Trivy
        run: |
          sudo apt-get update
@@ -31,13 +30,12 @@ jobs:
          sudo apt-get update
          sudo apt-get install trivy -y

-      # Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks)
      - name: Run Trivy comprehensive security scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
-          scanners: 'vuln,secret,misconfig'
+          scanners: 'vuln,misconfig'
          format: 'table'
          output: 'trivy-results.txt'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
@@ -50,7 +48,6 @@ jobs:
          # Skip setup since we installed Trivy manually
          skip-setup-trivy: true

-      # Display results for visibility
      - name: Display Trivy scan results
        if: always()
        run: |
@@ -62,22 +59,19 @@ jobs:
            exit 1
          fi

-      # Install Gitleaks for fast secret scanning
      - name: Install Gitleaks
        run: |
-          wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz
+          wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
          tar -xzf /tmp/gitleaks.tar.gz -C /tmp
          sudo mv /tmp/gitleaks /usr/local/bin/
          sudo chmod +x /usr/local/bin/gitleaks
          gitleaks version

-      # Secret scanning with Gitleaks
      - name: Run Gitleaks secret scan
        run: |
          gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
          gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt

-      # Display Gitleaks results
      - name: Display Gitleaks scan results
        if: always()
        run: |
@@ -101,7 +95,6 @@ jobs:
          pipx install semgrep
          semgrep --version

-      # Static code analysis with Semgrep
      - name: Run Semgrep static analysis
        run: |
          export PATH="$HOME/.local/bin:$PATH"
@@ -112,7 +105,6 @@ jobs:
            --output semgrep-results.txt \
            .

-      # Display Semgrep results
      - name: Display Semgrep scan results
        if: always()
        run: |
@@ -124,25 +116,21 @@ jobs:
            exit 1
          fi

-      # Need Go
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version: 'stable' # Latest stable version

-      # Install OSV Scanner
      - name: Install OSV Scanner
        run: |
          export PATH="$HOME/go/bin:$PATH"
          go install github.com/google/osv-scanner/cmd/osv-scanner@latest

-      # Run OSV Scanner
      - name: Run OSV Scanner
        run: |
          export PATH="$HOME/go/bin:$PATH"
          osv-scanner -r scan --format table --output osv-results.txt .

-      # Display OSV Scanner results
      - name: Display OSV Scanner scan results
        if: always()
        run: |