diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index 1c20c12..b236a5d 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -12,23 +12,19 @@ jobs: with: fetch-depth: 0 -<<<<<<< HEAD - # 1. SCA - Verifica vulnerabilidades no Nginx -======= - # 1. SECRET SCANNING (Desativado temporariamente) + # 1. SECRET SCANNING (Ativo: BLOQUEIA a pipeline se encontrar passwords) - name: Gitleaks Scan run: | curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp /tmp/gitleaks detect --source . --verbose --redact --exit-code 1 # 2. SCA - Verifica vulnerabilidades no Nginx ->>>>>>> 8c9be4c (ativar gitleaks) - name: Scan Docker Image Vulnerabilities (Trivy) run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin trivy image --severity HIGH,CRITICAL nginx:alpine - # 2. SAST - Análise de Código com SonarQube + # 3. SAST - Análise de Código com SonarQube - name: SonarQube Analysis run: | curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip @@ -46,7 +42,7 @@ jobs: - name: Checkout Code uses: actions/checkout@v3 - # 3. DEPLOY ATÓMICO E HARDENING + # 4. DEPLOY ATÓMICO E HARDENING - name: Hardened Deploy run: | docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true @@ -57,7 +53,7 @@ jobs: # CORREÇÃO: Testar o acesso local por dentro do próprio container Nginx docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1 - # 4. AUDITORIA DE DEPLOY + # 5. AUDITORIA DE DEPLOY - name: Slack/Discord Notification if: always() run: |