pm/website-test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modificar .gitea/workflows/deploy.yaml
DevSecOps Enterprise Pipeline / security-gate (push) Successful in 30s
Details
DevSecOps Enterprise Pipeline / deploy (push) Successful in 5s
Details

Browse Source 
ci: reativar gitleaks com segredos ignorados
This commit is contained in:
pm
2026-05-08 10:30:57 +00:00
parent 0c34fdc2dc
commit 49ab12b7f6
1 changed files with 6 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yaml
+5 -9
View File
@@ -12,23 +12,19 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
<<<<<<< HEAD # 1. SECRET SCANNING (Ativo: Ignora o commit antigo graças ao .gitleaksignore, mas bloqueia novas fugas)
# 1. SCA - Verifica vulnerabilidades no Nginx
=======
# 1. SECRET SCANNING (Desativado temporariamente)
- name: Gitleaks Scan - name: Gitleaks Scan
run: | run: |
curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
/tmp/gitleaks detect --source . --verbose --redact --exit-code 1 /tmp/gitleaks detect --source . --verbose --redact --exit-code 1
# 2. SCA - Verifica vulnerabilidades no Nginx # 2. SCA - Verifica vulnerabilidades no Nginx
>>>>>>> 8c9be4c (ativar gitleaks)
- name: Scan Docker Image Vulnerabilities (Trivy) - name: Scan Docker Image Vulnerabilities (Trivy)
run: | run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy image --severity HIGH,CRITICAL nginx:alpine trivy image --severity HIGH,CRITICAL nginx:alpine
# 2. SAST - Análise de Código com SonarQube # 3. SAST - Análise de Código com SonarQube
- name: SonarQube Analysis - name: SonarQube Analysis
run: | run: |
curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
@@ -46,7 +42,7 @@ jobs:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@v3 uses: actions/checkout@v3
# 3. DEPLOY ATÓMICO E HARDENING # 4. DEPLOY ATÓMICO E HARDENING
- name: Hardened Deploy - name: Hardened Deploy
run: | run: |
docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
@@ -54,10 +50,10 @@ jobs:
docker cp index.html website-test-backend:/usr/share/nginx/html/index.html docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
# CORREÇÃO: Testar o acesso local por dentro do próprio container Nginx # Testar o acesso local por dentro do próprio container Nginx
docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1 docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
# 4. AUDITORIA DE DEPLOY # 5. AUDITORIA DE DEPLOY
- name: Slack/Discord Notification - name: Slack/Discord Notification
if: always() if: always()
run: | run: |