fix: update Bun base image and enhance security scanning

- Update Bun from 1.2.14 to 1.2.18 to address CVE-2025-22874 - Pin Trivy action to stable version (0.28.0) - Add SARIF output for GitHub Security tab integration - Set ignore-unfixed to false for comprehensive vulnerability detection - Add security-events permission for uploading scan results - Include fallback table output on scan failures
2025-12-23 07:58:07 +03:00 · 2025-06-15 13:48:58 +05:30
parent ae57b1b320
commit 6551ea719c
2 changed files with 23 additions and 4 deletions
--- a/.github/workflows/docker-scan.yml
+++ b/.github/workflows/docker-scan.yml
@@ -21,6 +21,7 @@ on:
 permissions:
  contents: read
  actions: read
+  security-events: write

 jobs:
  scan:
@@ -47,11 +48,29 @@ jobs:
          no-cache: true

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: gitea-mirror:scan
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy vulnerability scanner (table output)
+        uses: aquasecurity/trivy-action@0.28.0
+        if: failure()
        with:
          image-ref: gitea-mirror:scan
          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          exit-code: '0'
+          ignore-unfixed: false
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'