NishantRajputRN
@@ -42,38 +42,40 @@ jobs:
|
|||||||
"${HOME}/bin/trivy" --version
|
"${HOME}/bin/trivy" --version
|
||||||
|
|
||||||
# Use "${HOME}/bin/trivy" — act/Gitea may not prepend GITHUB_PATH before the next step.
|
# Use "${HOME}/bin/trivy" — act/Gitea may not prepend GITHUB_PATH before the next step.
|
||||||
# Gitea only orchestrates the job; checkout + report.json live on the runner machine (this server), not on the Gitea host.
|
# Gitea only orchestrates the job; output path is on the runner. With ubuntu-latest:host this is the VM; with Docker jobs, mount /home/azureuser or use artifacts.
|
||||||
- name: Trivy filesystem scan
|
- name: Trivy filesystem scan
|
||||||
run: |
|
run: |
|
||||||
"${HOME}/bin/trivy" fs -f json -o report.json \
|
TRIVY_REPORT="/home/azureuser/Trivy/report.json"
|
||||||
|
mkdir -p /home/azureuser/Trivy
|
||||||
|
"${HOME}/bin/trivy" fs -f json -o "${TRIVY_REPORT}" \
|
||||||
--skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \
|
--skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \
|
||||||
--exit-code 0 \
|
--exit-code 0 \
|
||||||
.
|
.
|
||||||
report_path="${GITHUB_WORKSPACE:-$(pwd)}/report.json"
|
|
||||||
echo "Runner host: $(hostname)"
|
echo "Runner host: $(hostname)"
|
||||||
echo "report.json (inside job container): ${report_path}"
|
echo "Trivy JSON report: ${TRIVY_REPORT}"
|
||||||
ls -la report.json
|
ls -la "${TRIVY_REPORT}"
|
||||||
|
|
||||||
# Download this artifact from the Gitea run UI — file leaves the ephemeral job container without docker cp.
|
# Download this artifact from the Gitea run UI — file leaves the ephemeral job container without docker cp.
|
||||||
# - name: Upload Trivy report (artifact)
|
# - name: Upload Trivy report (artifact)
|
||||||
# uses: actions/upload-artifact@v3
|
# uses: actions/upload-artifact@v3
|
||||||
# with:
|
# with:
|
||||||
# name: trivy-fs-report
|
# name: trivy-fs-report
|
||||||
# path: report.json
|
# path: /home/azureuser/Trivy/report.json
|
||||||
|
|
||||||
# Optional: persist on the VM host. In act_runner config.yaml set (then restart runner):
|
# Optional: persist on the VM host. In act_runner config.yaml set (then restart runner):
|
||||||
# container:
|
# container:
|
||||||
# options: "-v /home/azureuser/gitea-reports:/gitea-reports"
|
# options: "-v /home/azureuser/gitea-reports:/gitea-reports"
|
||||||
# If your config uses valid_volumes, allow that host path (see act_runner config.example.yaml).
|
# If your config uses valid_volumes, allow that host path (see act_runner config.example.yaml).
|
||||||
- name: Copy Trivy report to host bind mount (if configured)
|
# - name: Copy Trivy report to host bind mount (if configured)
|
||||||
run: |
|
# run: |
|
||||||
if [ -d /gitea-reports ] && [ -w /gitea-reports ]; then
|
# TRIVY_REPORT="/home/azureuser/Trivy/report.json"
|
||||||
out="/gitea-reports/trivy-report-${GITHUB_RUN_ID:-$(date +%s)}.json"
|
# if [ -d /gitea-reports ] && [ -w /gitea-reports ]; then
|
||||||
cp -f report.json "${out}"
|
# out="/gitea-reports/trivy-report-${GITHUB_RUN_ID:-$(date +%s)}.json"
|
||||||
echo "Copied to bind mount (see host dir mapped to /gitea-reports): ${out}"
|
# cp -f "${TRIVY_REPORT}" "${out}"
|
||||||
else
|
# echo "Copied to bind mount (see host dir mapped to /gitea-reports): ${out}"
|
||||||
echo "Skip host copy: no /gitea-reports volume. Use artifact above, or add runner container.options volume — see workflow comment."
|
# else
|
||||||
fi
|
# echo "Skip host copy: no /gitea-reports volume. Use artifact above, or add runner container.options volume — see workflow comment."
|
||||||
|
# fi
|
||||||
|
|
||||||
# ---------------- SONARQUBE ----------------
|
# ---------------- SONARQUBE ----------------
|
||||||
# In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL).
|
# In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL).
|
||||||
|
|||||||
Reference in New Issue
Block a user