username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: add Harbor vulnerability scan after image push
All checks were successful
CI / Lint & Format (push) Successful in 23s
Details
CI / Security Scan (push) Successful in 22s
Details
CI / Memory Leak Check (push) Successful in 21s
Details
CI / SBOM Generation (push) Successful in 20s
Details
CI / Security Tests (push) Successful in 26s
Details
CI / Unit Tests (push) Successful in 33s
Details
CI / Advanced Security Tests (push) Successful in 15s
Details
CI / Build & Push Image (push) Successful in 7s
Details
CI / Harbor Vulnerability Scan (push) Successful in 13s
Details

Browse Source
This commit is contained in:
Username
2026-01-18 17:23:19 +01:00
parent e0310339ee
commit 48094c0bee
1 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
.gitea/workflows/ci.yml
View File

@@ -310,3 +310,74 @@ jobs:
$BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}" echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
done done
vuln-scan:
name: Harbor Vulnerability Scan
runs-on: ubuntu-latest
needs: [build-push]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
container:
image: python:3.11-slim
steps:
- name: Setup
run: |
apt-get update -qq && apt-get install -yqq --no-install-recommends git curl >/dev/null
- name: Fetch harbor-ctl
run: |
curl -sL "https://git.mymx.me/username/harbor/raw/branch/master/harbor-ctl.py" -o harbor-ctl.py
chmod +x harbor-ctl.py
- name: Trigger and wait for scan
env:
HARBOR_USER: ${{ secrets.HARBOR_USER }}
HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
run: |
if [ -z "$HARBOR_USER" ] || [ -z "$HARBOR_PASS" ]; then
echo "::warning::Harbor credentials not configured - skipping scan"
exit 0
fi
echo "Triggering vulnerability scan..."
python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \
scan library flaskpaste --wait --timeout 180
- name: Check for critical vulnerabilities
env:
HARBOR_USER: ${{ secrets.HARBOR_USER }}
HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
run: |
if [ -z "$HARBOR_USER" ]; then exit 0; fi
echo "Checking for fixable critical/high vulnerabilities..."
# Get vulnerability report
python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \
vulns library flaskpaste -s critical -l 100 > /tmp/critical.txt 2>&1 || true
python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \
vulns library flaskpaste -s high -l 100 > /tmp/high.txt 2>&1 || true
# Check for fixable vulns (have a "Fixed" version that's not "N/A")
CRITICAL_FIXABLE=$(grep -v "N/A *$" /tmp/critical.txt | grep -c "^CVE\|^GHSA" || echo 0)
HIGH_FIXABLE=$(grep -v "N/A *$" /tmp/high.txt | grep -c "^CVE\|^GHSA" || echo 0)
echo "Critical fixable: $CRITICAL_FIXABLE"
echo "High fixable: $HIGH_FIXABLE"
if [ "$CRITICAL_FIXABLE" -gt 0 ]; then
echo "::error::Found $CRITICAL_FIXABLE fixable critical vulnerabilities"
cat /tmp/critical.txt
exit 1
fi
if [ "$HIGH_FIXABLE" -gt 0 ]; then
echo "::warning::Found $HIGH_FIXABLE fixable high vulnerabilities"
cat /tmp/high.txt
fi
echo "Vulnerability scan passed"