mirror of
https://github.com/streamyfin/streamyfin.git
synced 2026-06-10 16:00:25 +01:00
168bf2e54e
Some checks failed
🌐 Translation Sync / sync-translations (push) Waiting to run
🏗️ Build Apps / 🍎 Build tvOS IPA (Unsigned) (push) Has been cancelled
🏗️ Build Apps / 🤖 Build Android APK (Phone) (push) Has been cancelled
🏗️ Build Apps / 🤖 Build Android APK (TV) (push) Has been cancelled
🏗️ Build Apps / 🍎 Build iOS IPA (Phone) (push) Has been cancelled
🏗️ Build Apps / 🍎 Build iOS IPA (Phone - Unsigned) (push) Has been cancelled
🏗️ Build Apps / 🍎 Build tvOS IPA (push) Has been cancelled
🔒 Lockfile Consistency Check / 🔍 Check bun.lock and package.json consistency (push) Has been cancelled
🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (actions) (push) Has been cancelled
🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (javascript-typescript) (push) Has been cancelled
🏷️🔀Merge Conflict Labeler / 🏷️ Labeling Merge Conflicts (push) Has been cancelled
🚦 Security & Quality Gate / 🚑 Expo Doctor Check (push) Has been cancelled
🚦 Security & Quality Gate / 🔍 Lint & Test (check) (push) Has been cancelled
🚦 Security & Quality Gate / 🔍 Lint & Test (format) (push) Has been cancelled
🚦 Security & Quality Gate / 🔍 Lint & Test (i18n:check) (push) Has been cancelled
🚦 Security & Quality Gate / 📝 Validate PR Title (push) Has been cancelled
🚦 Security & Quality Gate / 🔍 Vulnerable Dependencies (push) Has been cancelled
🚦 Security & Quality Gate / 🔍 Lint & Test (lint) (push) Has been cancelled
🚦 Security & Quality Gate / 🔍 Lint & Test (typecheck) (push) Has been cancelled
🛡️ Trivy Security Scan / 🔎 Filesystem scan (push) Has been cancelled
61 lines
2.1 KiB
YAML
61 lines
2.1 KiB
YAML
name: 🛡️ Trivy Security Scan
|
|
|
|
# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
|
|
# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
|
|
# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
|
|
# upload needs a write token that fork PRs don't get).
|
|
on:
|
|
push:
|
|
branches: [develop, master]
|
|
schedule:
|
|
- cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: trivy-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
trivy:
|
|
name: 🔎 Filesystem scan
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: read
|
|
security-events: write # upload SARIF to code scanning
|
|
steps:
|
|
- name: 📥 Checkout repository
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
|
|
# Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
|
|
# instead of a fresh immutable entry per run, still refreshing the DB every week.
|
|
- name: 🗓️ Compute weekly Trivy cache key
|
|
id: trivy-cache-key
|
|
run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: 💾 Cache Trivy vulnerability DB
|
|
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
|
|
with:
|
|
path: ~/.cache/trivy
|
|
key: ${{ steps.trivy-cache-key.outputs.value }}
|
|
restore-keys: trivy-db-${{ runner.os }}-
|
|
|
|
- name: 🔎 Run Trivy filesystem scan
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
scanners: vuln,secret,misconfig
|
|
ignore-unfixed: true
|
|
severity: CRITICAL,HIGH
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
|
|
- name: 📤 Upload results to code scanning
|
|
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
sarif_file: trivy-results.sarif
|
|
category: trivy-fs
|