pm/website-test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
967cdf3cad4c6af6364b2901b6befb745e2e578f
website-test/.gitea/workflows/deploy.yaml
T
pm 49ab12b7f6
DevSecOps Enterprise Pipeline / security-gate (push) Successful in 30s
Details
DevSecOps Enterprise Pipeline / deploy (push) Successful in 5s
Details
Modificar .gitea/workflows/deploy.yaml 
ci: reativar gitleaks com segredos ignorados
2026-05-08 10:30:57 +00:00

60 lines
2.4 KiB
YAML
Raw Blame History

name: "DevSecOps Enterprise Pipeline"
on:
push:
branches: [ main ]
jobs:
security-gate:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
with:
fetch-depth: 0
# 1. SECRET SCANNING (Ativo: Ignora o commit antigo graças ao .gitleaksignore, mas bloqueia novas fugas)
- name: Gitleaks Scan
run: |
curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
/tmp/gitleaks detect --source . --verbose --redact --exit-code 1
# 2. SCA - Verifica vulnerabilidades no Nginx
- name: Scan Docker Image Vulnerabilities (Trivy)
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy image --severity HIGH,CRITICAL nginx:alpine
# 3. SAST - Análise de Código com SonarQube
- name: SonarQube Analysis
run: |
curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
unzip -q sonar-scanner.zip
./sonar-scanner-5.0.1.3006-linux/bin/sonar-scanner \
-Dsonar.projectKey=website-test \
-Dsonar.sources=. \
-Dsonar.host.url=http://51.89.40.2:9000 \
-Dsonar.token=${{ secrets.SONAR_TOKEN }}
deploy:
needs: security-gate
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
# 4. DEPLOY ATÓMICO E HARDENING
- name: Hardened Deploy
run: |
docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
# Testar o acesso local por dentro do próprio container Nginx
docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
# 5. AUDITORIA DE DEPLOY
- name: Slack/Discord Notification
if: always()
run: |
echo "Deploy finalizado com status: ${{ job.status }}"
Reference in New Issue View Git Blame Copy Permalink