Fix CI scan jobs for Gitea Actions runner

vuln-scan: replace aquasecurity/trivy-action (tag 0.28.0 was unresolvable on the runner) with a direct docker run aquasec/trivy call — same pattern the sast job already uses for Semgrep, no third-party action to track. secrets-scan, vuln-scan, sast: pin actions/upload-artifact to v3. v4 uses a GitHub-specific Twirp protocol that this Gitea Actions runner does not implement, so uploads were failing with a bare exitcode 1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 16:03:23 -07:00
parent a314908c7b
commit e67447dfed
1 changed files with 17 additions and 19 deletions
@@ -92,7 +92,7 @@ jobs:
            --no-git \
            --exit-code 0

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: gitleaks-report
@@ -104,26 +104,24 @@ jobs:
      - uses: actions/checkout@v4

      - name: Trivy filesystem scan (vuln + misconfig)
-        # TODO: flip exit-code to '1' once baseline is clean
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: fs
-          scan-ref: .
-          format: sarif
-          output: trivy-fs.sarif
-          severity: HIGH,CRITICAL
-          exit-code: '0'
-          scanners: vuln,misconfig
+        # TODO: flip --exit-code to 1 once baseline is clean
+        run: |
+          docker run --rm -v "$PWD:/src" aquasec/trivy:latest \
+            fs /src \
+              --severity HIGH,CRITICAL \
+              --scanners vuln,misconfig \
+              --format sarif \
+              --output /src/trivy-fs.sarif \
+              --exit-code 0

      - name: Trivy SBOM (CycloneDX)
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: fs
-          scan-ref: .
-          format: cyclonedx
-          output: sbom.cdx.json
+        run: |
+          docker run --rm -v "$PWD:/src" aquasec/trivy:latest \
+            fs /src \
+              --format cyclonedx \
+              --output /src/sbom.cdx.json

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: trivy-reports
@@ -148,7 +146,7 @@ jobs:
              --sarif --output /src/semgrep.sarif \
              --error /src || true

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: semgrep-report