diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..21fb0d1 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,25 @@ +# Secrets and credentials +.env +.env.* +*.pem +*.key +*credentials* +*secret* +.aws/ +.ssh/ + +# Git (may contain secrets in history) +.git + +# IDE configs (may contain tokens) +.idea/ +.vscode/ +.settings/ +.gradle/ +.claude + +# Local development +docker-compose*.yml + +logs/ +docs/ \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e111cce..655ff1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -111,4 +111,58 @@ jobs: min-coverage-overall: 80 min-coverage-changed-files: 80 + security-scan: + name: Security Scan + runs-on: ubuntu-latest + needs: build + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v6 + - name: Run Trivy repo scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'repo' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + + - name: Run Trivy config scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'config' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + with: + driver: docker-container + + - name: Build Docker image + uses: docker/build-push-action@v6 + with: + builder: ${{ steps.buildx.outputs.name }} + context: . + push: false + load: true + tags: user-service:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Run Trivy image scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'image' + image-ref: 'user-service:${{ github.sha }}' + format: 'table' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true