Mathis/memegoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Activity
Files
8f372eef196807b50cd477e4f86d14d39f3516e0
memegoat/.gitea/workflows/cve-check.yml
Avnyr 8f372eef19
Some checks failed
CVE Security Check - Trivy + OWASP / OWASP Dependency-Check (push) Has been cancelled
Details
CVE Security Check - Trivy + OWASP / Security Summary (push) Has been cancelled
Details
CVE Security Check - Trivy + OWASP / Trivy Vulnerability Scan (push) Has been cancelled
Details
Add automated CVE security checks with Trivy and OWASP
2026-01-04 16:32:58 +01:00

119 lines
3.9 KiB
YAML
Raw Blame History

name: CVE Security Check - Trivy + OWASP
on:
schedule:
- cron: '0 2 * * *'
push:
paths:
- 'package.json'
- 'pnpm-lock.yaml'
- '.gitea/workflows/cve-check.yml'
pull_request:
paths:
- 'package.json'
- 'pnpm-lock.yaml'
jobs:
trivy-scan:
name: Trivy Vulnerability Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Display Trivy results
run: |
echo "## 🔍 Trivy Scan Results" >> $GITHUB_STEP_SUMMARY
if [ -f trivy-results.sarif ]; then
echo "✅ Scan complété" >> $GITHUB_STEP_SUMMARY
fi
- name: Upload Trivy SARIF to artifact
uses: actions/upload-artifact@v3
if: always()
with:
name: trivy-results
path: trivy-results.sarif
owasp-dependency-check:
name: OWASP Dependency-Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run OWASP Dependency-Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'memegoat'
path: '.'
format: 'JSON'
args: >
--enableExperimental
--enableVulnerability
--suppression ./dependency-check-suppressions.xml
- name: Generate OWASP HTML Report
run: |
if [ -d "reports" ]; then
echo "📊 Rapport OWASP généré"
fi
- name: Upload OWASP reports
uses: actions/upload-artifact@v3
if: always()
with:
name: dependency-check-reports
path: reports/
- name: Parse OWASP results
run: |
if [ -f reports/dependency-check-report.json ]; then
echo "## 📋 OWASP Dependency-Check Results" >> $GITHUB_STEP_SUMMARY
CRITICAL=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="CRITICAL")] | length' reports/dependency-check-report.json || echo 0)
HIGH=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="HIGH")] | length' reports/dependency-check-report.json || echo 0)
MEDIUM=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="MEDIUM")] | length' reports/dependency-check-report.json || echo 0)
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| 🔴 CRITICAL | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
echo "| 🟠 HIGH | $HIGH |" >> $GITHUB_STEP_SUMMARY
echo "| 🟡 MEDIUM | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
if [ "$CRITICAL" -gt 0 ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "⚠️ **Vulnérabilités CRITICAL détectées !**" >> $GITHUB_STEP_SUMMARY
exit 1
fi
fi
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [trivy-scan, owasp-dependency-check]
if: always()
steps:
- uses: actions/download-artifact@v3
- name: Generate final report
run: |
echo "## 🔐 Security Audit Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Trivy scan - Completed" >> $GITHUB_STEP_SUMMARY
echo "✅ OWASP Dependency-Check - Completed" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "📁 [Télécharger les rapports détaillés](artifacts)" >> $GITHUB_STEP_SUMMARY
- name: Fail if critical vulnerabilities found
if: failure()
run: |
echo "🚨 Des vulnérabilités CRITICAL ont été détectées"
exit 1
Reference in New Issue View Git Blame Copy Permalink