diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index c368456..8e88f82 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -27,14 +27,23 @@ jobs: ansible-validation: runs-on: ubuntu-latest container: - image: python:3.11-slim + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 - - name: Install Ansible and linting tools + - name: Install Python and dependencies run: | - pip install --no-cache-dir ansible ansible-lint yamllint + apt-get update && apt-get install -y python3 python3-pip + + - name: Install Ansible and linting tools + run: pip3 install --no-cache-dir ansible ansible-lint yamllint - name: Validate YAML syntax run: | @@ -50,13 +59,28 @@ jobs: secret-scanning: runs-on: ubuntu-latest container: - image: gitleaks/gitleaks:latest + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Install Gitleaks + run: | + apt-get update && apt-get install -y wget curl + GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//') + wget -q "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -O /tmp/gitleaks.tar.gz + tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin/ gitleaks + chmod +x /usr/local/bin/gitleaks + gitleaks version + - name: Run Gitleaks secret scan run: | gitleaks detect --source . --verbose --no-banner --exit-code 1 @@ -64,11 +88,25 @@ jobs: dependency-scan: runs-on: ubuntu-latest container: - image: aquasec/trivy:latest + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 + - name: Install Trivy + run: | + apt-get update && apt-get install -y wget curl + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - || true + echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list + apt-get update && apt-get install -y trivy || \ + (wget -qO /usr/local/bin/trivy https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64 && chmod +x /usr/local/bin/trivy) + - name: Scan npm dependencies run: | if [ -f "package.json" ]; then @@ -105,11 +143,22 @@ jobs: sast-scan: runs-on: ubuntu-latest container: - image: returntocorp/semgrep:latest + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 + - name: Install Semgrep + run: | + apt-get update && apt-get install -y python3 python3-pip + pip3 install semgrep + - name: Run Semgrep scan run: semgrep --config=auto --error continue-on-error: true @@ -137,13 +186,23 @@ jobs: vault-check: runs-on: ubuntu-latest container: - image: python:3.11-slim + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 + - name: Install Python and dependencies + run: | + apt-get update && apt-get install -y python3 python3-pip + - name: Install Ansible - run: pip install --no-cache-dir ansible + run: pip3 install --no-cache-dir ansible - name: Validate vault files are encrypted run: | @@ -166,13 +225,23 @@ jobs: playbook-test: runs-on: ubuntu-latest container: - image: python:3.11-slim + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 + - name: Install Python and dependencies + run: | + apt-get update && apt-get install -y python3 python3-pip + - name: Install Ansible - run: pip install --no-cache-dir ansible + run: pip3 install --no-cache-dir ansible - name: Dry-run playbooks run: | @@ -198,11 +267,25 @@ jobs: container-scan: runs-on: ubuntu-latest container: - image: aquasec/trivy:latest + image: ubuntu:22.04 steps: + - name: Install Node.js for checkout action + run: | + apt-get update && apt-get install -y curl + curl -fsSL https://deb.nodesource.com/setup_20.x | bash - + apt-get install -y nodejs + - name: Check out code uses: actions/checkout@v4 + - name: Install Trivy + run: | + apt-get update && apt-get install -y wget curl + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - || true + echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list + apt-get update && apt-get install -y trivy || \ + (wget -qO /usr/local/bin/trivy https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64 && chmod +x /usr/local/bin/trivy) + - name: Scan for Dockerfiles and container configs run: | if [ -f "Dockerfile" ] || [ -f "docker-compose.yml" ] || find . -name "Dockerfile*" -o -name "*.dockerfile" 2>/dev/null | grep -v ".git" | head -1 > /dev/null; then