Move securitychecks into own workflow (#1753)

2024-11-26 11:51:02 +00:00 · 2023-07-17 21:32:05 +02:00 · 2023-07-17 21:32:05 +02:00 · a890a0d4d4
commit a890a0d4d4
parent dcba48f916
4 changed files with 29 additions and 26 deletions
--- a/.woodpecker/docs.yml
+++ b/.woodpecker/docs.yml
@ -38,15 +38,6 @@ steps:
      - cron: update_docs
        event: cron

-  securitycheck:
-    image: aquasec/trivy:latest
-    commands:
-      - trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity UNKNOWN,LOW docs/
-      # TODO currently it is not fixable so just do not block currently
-      - trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity MEDIUM,HIGH,CRITICAL docs/
-    when:
-      path: *when_path
-
  deploy-preview:
    image: woodpeckerci/plugin-surge-preview:next
    settings:
--- a/.woodpecker/securityscan.yml
+++ b/.woodpecker/securityscan.yml
@ -0,0 +1,29 @@
+when:
+  - event: [ pull_request, cron ]
+  - event: push
+    branch: [ main, release/* ]
+
+variables:
+  - &trivy_image aquasec/trivy:latest
+  - &trivy_plugin codeberg.org/woodpecker-plugins/trivy:latest
+
+steps:
+  check backend:
+    group: check
+    image: *trivy_plugin
+    settings:
+      skip-dirs: web/,docs/
+
+  check docs:
+    group: check
+    image: *trivy_plugin
+    settings:
+      skip-dirs: node_modules/,plugins/woodpecker-plugins/node_modules/
+      dir:  docs/
+
+  check web:
+    group: check
+    image: *trivy_plugin
+    settings:
+      skip-dirs: node_modules/
+      dir:  web/
--- a/.woodpecker/test.yml
+++ b/.woodpecker/test.yml
@ -67,15 +67,6 @@ steps:
    image: mstruebing/editorconfig-checker
    group: test

-  # Fixed with https://github.com/woodpecker-ci/woodpecker/pull/1753
-  # securitycheck:
-  #   group: test
-  #   image: aquasec/trivy:latest
-  #   commands:
-  #     - trivy fs --exit-code 0 --skip-dirs web/ --skip-dirs docs/ --severity UNKNOWN,LOW .
-  #     - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
-  #   when: *when
-
  test:
    image: *golang_image
    group: test
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@ -55,14 +55,6 @@ steps:
      - pnpm typecheck
    when: *when

-  securitycheck:
-    group: test
-    image: aquasec/trivy:latest
-    commands:
-      - trivy fs --exit-code 0 --skip-dirs node_modules/ --severity UNKNOWN,LOW web/
-      - trivy fs --exit-code 1 --skip-dirs node_modules/ --severity MEDIUM,HIGH,CRITICAL web/
-    when: *when
-
  test:
    group: test
    image: *node_image