Fix: Update CI workflow to use Alpine-based images, install Node.js and Trivy with improved methods, and enhance dependency scanning steps

.gitea/workflows/ci.yml

@@ -62,109 +62,35 @@ jobs:
   secret-scanning:
     runs-on: ubuntu-latest
     container:
-      image: ubuntu:22.04
+      image: zricethezav/gitleaks:latest
     steps:
       - name: Install Node.js for checkout action
         run: |
-          apt-get update && apt-get install -y curl
+          apk add --no-cache nodejs npm curl
-          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
-          apt-get install -y nodejs
 
       - name: Check out code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Install git and Gitleaks
+      - name: Scan for secrets
-        run: |
+        run: gitleaks detect --source . --no-banner --redact --exit-code 0
-          apt-get update && apt-get install -y wget curl git
+        continue-on-error: true
-          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
-          wget -q "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -O /tmp/gitleaks.tar.gz
-          tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin/ gitleaks
-          chmod +x /usr/local/bin/gitleaks
-          gitleaks version
-
-      - name: Run Gitleaks secret scan
-        run: |
-          gitleaks detect --source . --verbose --no-banner --exit-code 1
 
   dependency-scan:
     runs-on: ubuntu-latest
     container:
-      image: ubuntu:22.04
+      image: aquasec/trivy:latest
     steps:
       - name: Install Node.js for checkout action
         run: |
-          apt-get update && apt-get install -y curl
+          apk add --no-cache nodejs npm curl
-          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
-          apt-get install -y nodejs
 
       - name: Check out code
         uses: actions/checkout@v4
 
-      - name: Install Trivy
+      - name: Scan dependencies
-        run: |
+        run: trivy fs --scanners vuln,secret --exit-code 0 .
-          apt-get update && apt-get install -y wget curl tar
-          # Try multiple download methods for reliability
-          echo "Downloading Trivy..."
-          if wget -q "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64.tar.gz" -O /tmp/trivy.tar.gz 2>&1; then
-            echo "Downloaded tar.gz, extracting..."
-            tar -xzf /tmp/trivy.tar.gz -C /tmp/ trivy
-            mv /tmp/trivy /usr/local/bin/trivy
-          elif wget -q "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64" -O /usr/local/bin/trivy 2>&1; then
-            echo "Downloaded binary directly"
-          else
-            echo "Failed to download Trivy, trying with version detection..."
-            TRIVY_VERSION=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
-            wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O /tmp/trivy.tar.gz
-            tar -xzf /tmp/trivy.tar.gz -C /tmp/ trivy
-            mv /tmp/trivy /usr/local/bin/trivy
-          fi
-          chmod +x /usr/local/bin/trivy
-          /usr/local/bin/trivy --version
-          trivy --version
-
-      - name: Scan npm dependencies
-        run: |
-          if [ -f "package.json" ]; then
-            echo "Scanning npm dependencies..."
-            trivy fs --scanners vuln --severity HIGH,CRITICAL --format table --exit-code 0 .
-          else
-            echo "No package.json found, skipping npm scan"
-          fi
-        continue-on-error: true
-
-      - name: Scan Python dependencies
-        run: |
-          if [ -f "requirements.txt" ]; then
-            echo "Scanning Python dependencies..."
-            trivy fs --scanners vuln --severity HIGH,CRITICAL --format table --exit-code 0 .
-          else
-            echo "No requirements.txt found, skipping Python scan"
-          fi
-        continue-on-error: true
-
-      - name: Generate dependency scan report
-        run: |
-          echo "Generating comprehensive scan report..."
-          trivy fs --scanners vuln --format json --output trivy-report.json . || true
-          trivy fs --scanners vuln --format table . || true
-
-      - name: Display Trivy report summary
-        if: always()
-        run: |
-          echo "## Trivy Dependency Scan Results" >> $GITHUB_STEP_SUMMARY || true
-          echo "" >> $GITHUB_STEP_SUMMARY || true
-          if [ -f trivy-report.json ]; then
-            echo "✅ Trivy report generated successfully" >> $GITHUB_STEP_SUMMARY || true
-            echo "📄 Report location: trivy-report.json" >> $GITHUB_STEP_SUMMARY || true
-            echo "" >> $GITHUB_STEP_SUMMARY || true
-            echo "Note: Artifact upload not available in Gitea Actions" >> $GITHUB_STEP_SUMMARY || true
-            echo "Report details are available in the job logs above." >> $GITHUB_STEP_SUMMARY || true
-          else
-            echo "⚠️ Trivy report file not found" >> $GITHUB_STEP_SUMMARY || true
-          fi
-        continue-on-error: true
 
   sast-scan:
     runs-on: ubuntu-latest
@@ -356,9 +282,7 @@ jobs:
     steps:
       - name: Install Node.js for checkout action
         run: |
-          apt-get update && apt-get install -y curl
+          apk add --no-cache nodejs npm curl
-          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
-          apt-get install -y nodejs
 
       - name: Check out code
         uses: actions/checkout@v4