2026-01-01 22:11:25 -05:00
1 changed files with 39 additions and 2 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -155,8 +155,45 @@ jobs:
      - name: Check out code
        uses: actions/checkout@v4

-      - name: Scan dependencies
-        run: trivy fs --scanners vuln,secret --exit-code 0 .
+      - name: Show dependency manifests (debug)
+        run: |
+          set -e
+          echo "Repo root:"
+          ls -la
+          echo ""
+          echo "Common dependency manifests:"
+          ls -la package.json package-lock.json requirements.txt pyproject.toml poetry.lock Pipfile Pipfile.lock 2>/dev/null || true
+          echo ""
+          echo "Count of lock/manifests found:"
+          find . -maxdepth 3 -type f \( \
+            -name "package-lock.json" -o \
+            -name "pnpm-lock.yaml" -o \
+            -name "yarn.lock" -o \
+            -name "requirements.txt" -o \
+            -name "pyproject.toml" -o \
+            -name "poetry.lock" -o \
+            -name "Pipfile.lock" \
+          \) | wc -l
+
+      - name: Dependency vulnerability scan (Trivy)
+        run: |
+          trivy fs \
+            --scanners vuln \
+            --severity HIGH,CRITICAL \
+            --ignore-unfixed \
+            --timeout 10m \
+            --skip-dirs .git,node_modules \
+            --exit-code 0 \
+            .
+
+      - name: Secret scan (Trivy)
+        run: |
+          trivy fs \
+            --scanners secret \
+            --timeout 10m \
+            --skip-dirs .git,node_modules \
+            --exit-code 0 \
+            .

  sast-scan:
    needs: skip-ci-check