website-test/.gitea/workflows/deploy.yaml at e5da932e69e022b952341690a5089d2464fd773c

pm/website-test

Fork 0

Files

T

pm e5da932e69

DevSecOps Enterprise Pipeline / security-gate (push) Successful in 21s

Details

DevSecOps Enterprise Pipeline / deploy (push) Successful in 3s

Details

Modificar .gitea/workflows/deploy.yaml

asd

2026-05-08 12:07:51 +00:00

60 lines

2.4 KiB

YAML

Raw Blame History

 name: "DevSecOps Enterprise Pipeline"
 on:
   push:
     branches: [ main ]
 jobs:
   security-gate:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
       # 1. SECRET SCANNING (Ativo: Ignora o commit antigo graças ao .gitleaksignore, mas bloqueia novas fugas)
       - name: Gitleaks Scan
         run: |
           curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
           /tmp/gitleaks protect --source . --verbose --redact --staged --exit-code 1
       # 2. SCA - Verifica vulnerabilidades no Nginx
       - name: Scan Docker Image Vulnerabilities (Trivy)
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
           trivy image --severity HIGH,CRITICAL nginx:alpine
       # 3. SAST - Análise de Código com SonarQube
       - name: SonarQube Analysis
         run: |
           curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
           unzip -q sonar-scanner.zip
           ./sonar-scanner-5.0.1.3006-linux/bin/sonar-scanner \
             -Dsonar.projectKey=website-test \
             -Dsonar.sources=. \
             -Dsonar.host.url=http://51.89.40.2:9000 \
             -Dsonar.token=${{ secrets.SONAR_TOKEN }}
   deploy:
     needs: security-gate
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
         uses: actions/checkout@v3
       # 4. DEPLOY ATÓMICO E HARDENING
       - name: Hardened Deploy
         run: |
           docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
           docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
           docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
           docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
           docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
           # Testar o acesso local por dentro do próprio container Nginx
           docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
       # 5. AUDITORIA DE DEPLOY
       - name: Slack/Discord Notification
         if: always()
         run: |
           echo "Deploy finalizado com status: ${{ job.status }}"

60 lines 2.4 KiB YAML Raw Blame History

60 lines

2.4 KiB

YAML

Raw Blame History