ci: add deployment with security scanner (#1)

ci: add deployment Co-authored-by: sangnn <sangnn.vng@gmail.com> Co-committed-by: sangnn <sangnn.vng@gmail.com>
2026-06-23 02:31:23 +00:00
parent b7211ee43f
commit 0bb38a2fb4
5 changed files with 218 additions and 6 deletions
@@ -0,0 +1,58 @@
+name: PR -> develop
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+
+env:
+  GITLEAKS_VERSION: "8.30.1"
+
+jobs:
+
+  # ── 1. Secret scan ────────────────────────────────────────────────────────────
+  gitleaks:
+    name: Scan for secrets (Gitleaks)
+    runs-on: stage-gatehouse-ui
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          if command -v gitleaks >/dev/null 2>&1; then
+            echo "gitleaks already installed: $(gitleaks version)"
+            exit 0
+          fi
+          curl -sSfL \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar xz gitleaks
+          mv gitleaks /usr/local/bin/gitleaks
+
+      - name: Run secret scan
+        run: gitleaks detect --source . --exit-code 1 --redact --verbose --log-level debug
+
+  # ── 2. CVE scan ───────────────────────────────────────────────────────────────
+  trivy:
+    name: Scan for CVEs (Trivy)
+    runs-on: stage-gatehouse-ui
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          command -v trivy >/dev/null 2>&1 || \
+            curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
+              | sh -s -- -b /usr/local/bin
+
+      - name: Run filesystem scan
+        run: |
+          trivy fs \
+            --exit-code 1 \
+            --severity HIGH,CRITICAL \
+            --no-progress \
+            .