chore(ci): switch to Trivy

2025-05-31 11:39:29 +02:00 · 2025-05-31 11:39:29 +02:00 · f38d9fd3d0
commit f38d9fd3d0
parent 800ad92e52
1 changed files with 23 additions and 12 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -55,17 +55,28 @@ jobs:
      - name: Minimize uv cache
        run: uv cache prune --ci

-      - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v5.2.0
-        env:
-          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
-          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+      # - name: SonarQube Scan
+      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
+      #   env:
+      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

-      - name: Snyk Vulnerability Scan
-        uses: snyk/actions/python@master
-        continue-on-error: true # Sometimes vulns aren't immediately fixable
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      # - name: Snyk Vulnerability Scan
+      #   uses: snyk/actions/python@master
+      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #   with:
+      #     command: snyk
+      #     args: test --all-projects
+
+      - name: Trivy Vulnerability Scan
+        uses: aquasecurity/trivy-action@0.30.0
        with:
-          command: snyk
-          args: test --all-projects
+          scan-type: "fs"
+          scan-ref: "${{ gitea.workspace }}"
+          exit-code: "1"
+          ignore-unfixed: true
+          format: "table"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln,secret,misconfig,license"