ci: add docker security scan and lint workflow

wax911 · wax911 · commit 7dda87adaff7 · 2025-08-17T11:42:31.000+02:00
diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml
@@ -0,0 +1,81 @@
+name: Docker lint
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [ main ]
+
+jobs:
+  lint:
+    name: Lint Dockerfiles and Compose
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install yamllint
+        run: pip install yamllint
+
+      - name: Find and run yamllint on compose files
+        run: |
+          set -euo pipefail
+          files=$(git ls-files "**/docker-compose*.yml" "**/docker-compose*.yaml" || true)
+          if [ -n "$files" ]; then
+            echo "$files" | xargs yamllint || true
+          else
+            echo "No compose files found"
+          fi
+
+      - name: Prepare .env files for compose
+        run: |
+          set -euo pipefail
+          files=$(git ls-files "**/docker-compose*.yml" "**/docker-compose*.yaml" || true)
+          if [ -n "$files" ]; then
+            for f in $files; do
+              dir=$(dirname "$f")
+              if [ -f "$dir/.env" ]; then
+                echo ".env already present in $dir"
+              elif [ -f "$dir/.env.example" ]; then
+                echo "Copying $dir/.env.example -> $dir/.env"
+                cp "$dir/.env.example" "$dir/.env"
+              elif [ -f ".env.example" ] && [ ! -f ".env" ]; then
+                echo "Copying root .env.example -> $dir/.env"
+                cp ".env.example" "$dir/.env"
+              else
+                echo "No .env found for $f (expected $dir/.env or $dir/.env.example or root .env.example)."
+              fi
+            done
+          else
+            echo "No compose files found"
+          fi
+
+      - name: Validate docker compose config
+        run: |
+          set -euo pipefail
+          files=$(git ls-files "**/docker-compose*.yml" "**/docker-compose*.yaml" || true)
+          if [ -n "$files" ]; then
+            for f in $files; do
+              echo "Validating $f"
+              docker compose -f "$f" config > /dev/null
+            done
+          else
+            echo "No compose files found"
+          fi
+
+      - name: Hadolint (Docker image)
+        run: |
+          set -euo pipefail
+          files=$(git ls-files "**/Dockerfile" || true)
+          if [ -n "$files" ]; then
+            for df in $files; do
+              echo "Linting $df"
+              docker run --rm -v "${{ github.workspace }}:/workdir" -w /workdir hadolint/hadolint hadolint "$df" || true
+            done
+          else
+            echo "No Dockerfiles found"
+          fi
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -0,0 +1,22 @@
+name: Docker security scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [ main ]
+
+jobs:
+  trivy-scan:
+    name: Run Trivy filesystem scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy Action
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          format: 'table'
+          scan-type: 'fs'
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          ignore-unfixed: true
