mnemosyne/.gitea/workflows/cve-scan-docker-build.yml

name: CVE Scan & Docker Build

on:
  push:
    branches: [main]

env:
  REGISTRY: git.helu.ca
  IMAGE_NAME: ${{ gitea.repository }}
  TRIVY_SEVERITY: MEDIUM,HIGH,CRITICAL
  TRIVY_NO_PROGRESS: "true"
  TRIVY_DISABLE_VEX_NOTICE: "true"

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
          trivy --version

      - name: Resolve full dependency set (incl. dev/test/lint/docs extras)
        run: |
          python3 -m venv /tmp/scanenv
          /tmp/scanenv/bin/pip install --quiet pip-tools
          /tmp/scanenv/bin/pip-compile pyproject.toml \
            --extra dev --extra test --extra lint --extra docs \
            -o requirements.txt --no-header --quiet --allow-unsafe
          echo "Resolved $(grep -cv '^\s*\(#\|$\)' requirements.txt) pinned packages."

      - name: Scan Python dependencies for CVEs
        run: |
          trivy fs \
            --scanners vuln \
            --severity ${TRIVY_SEVERITY} \
            --format table \
            --exit-code 0 \
            requirements.txt

      - name: Scan repository for secrets
        run: |
          trivy fs \
            --scanners secret \
            --format table \
            --exit-code 0 \
            .

  build-and-push:
    runs-on: ubuntu-latest
    needs: security-scan
    if: always()
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.PACKAGE_TOKEN }}

      - name: Extract metadata for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,prefix=
            type=raw,value=latest,enable=${{ gitea.ref == 'refs/heads/main' }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
          trivy --version

      - name: Scan built Docker image (OS + Python + system libs)
        run: |
          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
          echo "🔍 Scanning image: ${IMAGE_TAG}"
          trivy image \
            --scanners vuln \
            --severity ${TRIVY_SEVERITY} \
            --format table \
            --pkg-types os,library \
            --exit-code 0 \
            "${IMAGE_TAG}"

      - name: Scan built Docker image for misconfigurations
        continue-on-error: true
        run: |
          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
          trivy image \
            --scanners misconfig \
            --severity ${TRIVY_SEVERITY} \
            --format table \
            --exit-code 0 \
            "${IMAGE_TAG}"