labels: location: manager clone: git: image: woodpeckerci/plugin-git settings: partial: false depth: 1 steps: # Run Tests test: name: test image: node:22-alpine commands: - echo "nameserver 1.1.1.1" > /etc/resolv.conf - echo "nameserver 1.0.0.1" >> /etc/resolv.conf - npm --version | cat - node --version | cat - npm ci - npm test when: branch: main event: [push, pull_request, cron] # SBOM for source code sbom-source: name: sbom-source image: alpine:3.20 commands: - echo "nameserver 1.1.1.1" > /etc/resolv.conf - echo "nameserver 1.0.0.1" >> /etc/resolv.conf - apk add --no-cache curl tar - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - syft version | cat - syft dir:. -o table | tee sbom.txt - syft dir:. -o spdx-json > sbom.spdx.json - echo "SBOM generated successfully" - ls -lh sbom.* | cat when: branch: main event: [push, pull_request, cron] # Trivy filesystem scan trivy-fs: name: trivy-fs image: aquasec/trivy:latest commands: - echo "nameserver 1.1.1.1" > /etc/resolv.conf - echo "nameserver 1.0.0.1" >> /etc/resolv.conf - trivy --version | cat - trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL --exit-code 0 . - trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL --exit-code 0 Dockerfile when: branch: main event: [push, pull_request, cron] # Build Docker image for scanning build-image: name: build-image image: woodpeckerci/plugin-docker-buildx depends_on: [ "test" ] environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD DOCKER_REGISTRY_USER: from_secret: DOCKER_REGISTRY_USER DOCKER_REGISTRY_PASSWORD: from_secret: DOCKER_REGISTRY_PASSWORD volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "nameserver 1.1.1.1" > /etc/resolv.conf - echo "nameserver 1.0.0.1" >> /etc/resolv.conf - HOSTNAME=$(docker info --format "{{.Name}}") - echo "Building on $HOSTNAME" - echo "$${DOCKER_REGISTRY_PASSWORD}" | docker login -u "$${DOCKER_REGISTRY_USER}" --password-stdin || echo "Docker registry login skipped" - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us || echo "Registry login skipped" - docker build -t hastebin:test --no-cache . - docker tag hastebin:test git.nixc.us/hastebin:latest || echo "Image tagging skipped" - docker push git.nixc.us/hastebin:latest || echo "Image push skipped (may need registry credentials)" when: branch: main event: [push, cron] # Scan Docker image with Trivy trivy-image: name: trivy-image image: aquasec/trivy:latest depends_on: [ "build-image" ] volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "nameserver 1.1.1.1" > /etc/resolv.conf - echo "nameserver 1.0.0.1" >> /etc/resolv.conf - trivy --version | cat - trivy image --timeout 10m --scanners vuln --severity HIGH,CRITICAL --ignore-unfixed --exit-code 1 hastebin:test when: branch: main event: [push, cron] # Generate SBOM for Docker image sbom-image: name: sbom-image image: alpine:3.20 depends_on: [ "build-image" ] volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "nameserver 1.1.1.1" > /etc/resolv.conf - echo "nameserver 1.0.0.1" >> /etc/resolv.conf - apk add --no-cache curl docker-cli - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - syft version | cat - syft docker:hastebin:test -o table | tee sbom-image.txt - syft docker:hastebin:test -o spdx-json > sbom-image.spdx.json - echo "Image SBOM generated successfully" - ls -lh sbom-image.* | cat when: branch: main event: [push, cron]