mirror of
https://github.com/streamyfin/streamyfin.git
synced 2026-06-16 19:00:28 +01:00
434cb3bd39
Some checks are pending
🏗️ Build Apps / 🤖 Build Android APK (Phone) (push) Waiting to run
🏗️ Build Apps / 🤖 Build Android APK (TV) (push) Waiting to run
🏗️ Build Apps / 🍎 Build iOS IPA (Phone) (push) Waiting to run
🏗️ Build Apps / 🍎 Build iOS IPA (Phone - Unsigned) (push) Waiting to run
🏗️ Build Apps / 🍎 Build tvOS IPA (push) Waiting to run
🏗️ Build Apps / 🍎 Build tvOS IPA (Unsigned) (push) Waiting to run
🔒 Lockfile Consistency Check / 🔍 Check bun.lock and package.json consistency (push) Waiting to run
🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (actions) (push) Waiting to run
🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (javascript-typescript) (push) Waiting to run
🏷️🔀Merge Conflict Labeler / 🏷️ Labeling Merge Conflicts (push) Waiting to run
🌐 Translation Sync / sync-translations (push) Waiting to run
🚦 Security & Quality Gate / 📝 Validate PR Title (push) Waiting to run
🚦 Security & Quality Gate / 🔍 Vulnerable Dependencies (push) Waiting to run
🚦 Security & Quality Gate / 🚑 Expo Doctor Check (push) Waiting to run
🚦 Security & Quality Gate / 🔍 Lint & Test (check) (push) Waiting to run
🚦 Security & Quality Gate / 🔍 Lint & Test (format) (push) Waiting to run
🚦 Security & Quality Gate / 🔍 Lint & Test (i18n:check) (push) Waiting to run
🚦 Security & Quality Gate / 🔍 Lint & Test (lint) (push) Waiting to run
🚦 Security & Quality Gate / 🔍 Lint & Test (typecheck) (push) Waiting to run
🛡️ Trivy Security Scan / 🔎 Filesystem scan (push) Waiting to run
51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
name: 🛡️ Trivy Security Scan
|
|
|
|
# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
|
|
# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
|
|
# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
|
|
# upload needs a write token that fork PRs don't get).
|
|
on:
|
|
push:
|
|
branches: [develop, master]
|
|
schedule:
|
|
- cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: trivy-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
trivy:
|
|
name: 🔎 Filesystem scan
|
|
runs-on: ubuntu-26.04
|
|
permissions:
|
|
contents: read
|
|
security-events: write # upload SARIF to code scanning
|
|
steps:
|
|
- name: 📥 Checkout repository
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
|
|
# Trivy's own action caches the vulnerability DB + binary internally
|
|
# (cache-trivy-* / trivy-binary-* entries), so no manual ~/.cache/trivy
|
|
# step is needed — it only duplicated the cache.
|
|
- name: 🔎 Run Trivy filesystem scan
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
scanners: vuln,secret,misconfig
|
|
ignore-unfixed: true
|
|
severity: CRITICAL,HIGH
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
|
|
- name: 📤 Upload results to code scanning
|
|
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
sarif_file: trivy-results.sarif
|
|
category: trivy-fs
|