Skip to content

Commit 14009d1

Browse files
baijumclaude
andcommitted
feat: add security headers and Trivy scan to deploy workflows
- Add import security_headers to Caddyfile generation in deploy.yml and preview.yml - Add non-blocking Trivy image scan after build in deploy.yml Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 8454b5e commit 14009d1

2 files changed

Lines changed: 9 additions & 0 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,13 @@ jobs:
7171
# Build and start app containers (project name = app name for predictable container names)
7272
docker compose -p ${APP_NAME} -f deploy/docker-compose.yml up -d --build
7373
74+
# Scan built image for vulnerabilities (non-blocking)
75+
APP_IMAGE=$(docker compose -p ${APP_NAME} -f deploy/docker-compose.yml images app --format "{{.Repository}}:{{.Tag}}" | head -1)
76+
if command -v trivy &>/dev/null; then
77+
echo "Scanning ${APP_IMAGE} for vulnerabilities..."
78+
trivy image --severity HIGH,CRITICAL --exit-code 0 --no-progress "${APP_IMAGE}" || true
79+
fi
80+
7481
# Run database migrations
7582
docker compose -p ${APP_NAME} -f deploy/docker-compose.yml exec -T app alembic -c app/alembic.ini upgrade head
7683
@@ -80,6 +87,7 @@ jobs:
8087
# Generate rendered Caddyfile for platform Caddy
8188
cat > /opt/platform/caddy-apps/${APP_NAME}.caddy <<CADDYEOF
8289
${{ secrets.APP_DOMAIN }} {
90+
import security_headers
8391
reverse_proxy ${APP_NAME}-app-1:8000
8492
}
8593
CADDYEOF

.github/workflows/preview.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,7 @@ jobs:
6464
# Generate Caddyfile for preview domain
6565
cat > /opt/platform/caddy-apps/${APP_NAME}-pr-${PR_NUMBER}.caddy <<CADDYEOF
6666
${PREVIEW_DOMAIN} {
67+
import security_headers
6768
reverse_proxy ${APP_NAME}-pr-${PR_NUMBER}-app-1:8000
6869
}
6970
CADDYEOF

0 commit comments

Comments
 (0)