ci: add docker security scan and lint workflow

wax911 · wax911 · commit 4803a7005037 · 2025-08-17T12:03:23.000+02:00
diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml
@@ -0,0 +1,32 @@
+name: Docker lint
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [ main ]
+
+jobs:
+  lint:
+    name: Lint Dockerfiles
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install yamllint
+        run: pip install yamllint
+
+      - name: Find and run yamllint on compose files
+        run: |
+          set -euo pipefail
+          files=$(git ls-files "**/docker-compose*.yml" "**/docker-compose*.yaml" || true)
+          if [ -n "$files" ]; then
+            echo "$files" | xargs yamllint || true
+          else
+            echo "No compose files found"
+          fi
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -0,0 +1,22 @@
+name: Docker security scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [ main ]
+
+jobs:
+  trivy-scan:
+    name: Run Trivy filesystem scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy Action
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          format: 'table'
+          scan-type: 'fs'
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          ignore-unfixed: true
