feat trivy #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Automação de Segurança para a app. | |
| name: docker-ci | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| IMAGE_NAME: getting-started | |
| jobs: | |
| build-and-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . # mesmo que docker build . | |
| push: false # apenas build local | |
| tags: getting-started:latest | |
| # 🧰 Trivy roda logo após o build | |
| - name: Run Trivy scan before push | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| image-ref: getting-started:latest | |
| format: 'table' | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| ignore-unfixed: true | |
| exit-code: '1' # falha se encontrar vulnerabilidades críticas | |
| - name: Run container and test health | |
| run: | | |
| docker run -d -p 3000:3000 --name app getting-started | |
| sleep 5 | |
| curl -f http://localhost:3000 || (docker logs app && exit 1) | |