\u0644\u0645 \u064a\u0639\u062f \u062a\u0623\u0645\u064a\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0623\u0645\u0631\u064b\u0627 \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u064b\u0627 \u2014 \u0628\u0644 \u0623\u0635\u0628\u062d \u0645\u062a\u0637\u0644\u0628\u064b\u0627 \u0623\u0633\u0627\u0633\u064a\u064b\u0627 \u0644\u0623\u064a \u0645\u0624\u0633\u0633\u0629 \u0628\u0631\u0645\u062c\u064a\u0629 \u062d\u062f\u064a\u062b\u0629. \u0645\u0639 \u062a\u0632\u0627\u064a\u062f \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0646 \u062d\u064a\u062b \u0627\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u0627\u0644\u062a\u0639\u0642\u064a\u062f\u060c \u0641\u0625\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062f\u0645\u062c\u0647\u0627 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0646\u0634\u0631 \u062a\u062d\u062f\u062f \u0628\u0634\u0643\u0644 \u0645\u0628\u0627\u0634\u0631 \u0648\u0636\u0639\u0643 \u0627\u0644\u0623\u0645\u0646\u064a. \u0644\u0643\u0646 \u0645\u0639 \u062a\u0646\u0627\u0645\u064a \u0645\u0646\u0638\u0648\u0645\u0629 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0641\u062d\u0635\u060c \u0642\u062f \u064a\u0643\u0648\u0646 \u0627\u062e\u062a\u064a\u0627\u0631 \u0627\u0644\u0623\u062f\u0627\u0629 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629 (\u0623\u0648 \u0627\u0644\u062a\u0631\u0643\u064a\u0628\u0629 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629) \u0623\u0645\u0631\u064b\u0627 \u0645\u0631\u0628\u0643\u064b\u0627.<\/p>\n
\u064a\u0642\u062f\u0645 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0645\u0642\u0627\u0631\u0646\u0629 \u0634\u0627\u0645\u0644\u0629 \u0648\u0639\u0627\u062f\u0644\u0629 \u0644\u0623\u0631\u0628\u0639 \u0645\u0646 \u0623\u0643\u062b\u0631 \u0623\u062f\u0648\u0627\u062a \u0641\u062d\u0635 \u0623\u0645\u0627\u0646 CI\/CD \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u064b\u0627: Trivy<\/strong> \u0648Grype<\/strong> \u0648Snyk<\/strong> \u0648Checkov<\/strong>. \u0646\u0642\u064a\u0651\u0645 \u0643\u0644 \u0623\u062f\u0627\u0629 \u0639\u0628\u0631 \u062a\u063a\u0637\u064a\u0629 \u0627\u0644\u0645\u064a\u0632\u0627\u062a \u0648\u0627\u0644\u0623\u062f\u0627\u0621 \u0648\u0633\u0647\u0648\u0644\u0629 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0648\u0627\u0644\u062f\u0642\u0629 \u0648\u0627\u0644\u062a\u0633\u0639\u064a\u0631 \u0648\u062d\u0627\u0644\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u062b\u0627\u0644\u064a\u0629 \u2014 \u062d\u062a\u0649 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u062a\u062e\u0627\u0630 \u0642\u0631\u0627\u0631 \u0645\u0633\u062a\u0646\u064a\u0631 \u0644\u0641\u0631\u064a\u0642\u0643 \u0648\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628\u0643.<\/p>\n \u0633\u0648\u0627\u0621 \u0643\u0646\u062a \u062a\u0628\u0646\u064a \u0628\u0631\u0646\u0627\u0645\u062c \u0623\u0645\u0627\u0646 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631 \u0623\u0648 \u062a\u0639\u0632\u0632 \u0633\u064a\u0631 \u0639\u0645\u0644 CI\/CD \u0642\u0627\u0626\u0645\u060c \u0641\u0625\u0646 \u0641\u0647\u0645 \u0627\u0644\u0645\u0642\u0627\u064a\u0636\u0627\u062a \u0628\u064a\u0646 \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0623\u0645\u0631 \u0636\u0631\u0648\u0631\u064a. \u0644\u0646\u0628\u062f\u0623.<\/p>\n \u0642\u0628\u0644 \u0645\u0642\u0627\u0631\u0646\u0629 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0641\u0631\u062f\u064a\u0629\u060c \u0645\u0646 \u0627\u0644\u0645\u0647\u0645 \u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0645\u0639\u0627\u064a\u064a\u0631 \u0627\u0644\u0623\u0643\u062b\u0631 \u0623\u0647\u0645\u064a\u0629 \u0639\u0646\u062f \u062a\u0642\u064a\u064a\u0645 \u0623\u062f\u0627\u0629 \u0641\u062d\u0635 \u0623\u0645\u0627\u0646 CI\/CD. \u0644\u064a\u0633 \u0643\u0644 \u0641\u0631\u064a\u0642 \u064a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0643\u0644 \u0645\u064a\u0632\u0629\u060c \u0644\u0643\u0646 \u0647\u0630\u0647 \u0647\u064a \u0627\u0644\u0623\u0628\u0639\u0627\u062f \u0627\u0644\u062a\u064a \u062a\u062d\u062f\u062f \u0627\u0644\u0646\u062c\u0627\u062d \u0639\u0644\u0649 \u0627\u0644\u0645\u062f\u0649 \u0627\u0644\u0637\u0648\u064a\u0644 \u0628\u0627\u0633\u062a\u0645\u0631\u0627\u0631:<\/p>\n \u0645\u0639 \u0648\u0636\u0639 \u0647\u0630\u0647 \u0627\u0644\u0645\u0639\u0627\u064a\u064a\u0631 \u0641\u064a \u0627\u0644\u0627\u0639\u062a\u0628\u0627\u0631\u060c \u0644\u0646\u0641\u062d\u0635 \u0643\u0644 \u0623\u062f\u0627\u0629 \u0628\u0627\u0644\u062a\u0641\u0635\u064a\u0644.<\/p>\n \u062a\u0637\u0648\u0631 Trivy\u060c \u0627\u0644\u0630\u064a \u0637\u0648\u0631\u062a\u0647 Aqua Security\u060c \u0645\u0646 \u0645\u0627\u0633\u062d \u062b\u063a\u0631\u0627\u062a \u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0633\u064a\u0637 \u0625\u0644\u0649 \u0648\u0627\u062d\u062f\u0629 \u0645\u0646 \u0623\u0634\u0645\u0644 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0645\u0641\u062a\u0648\u062d\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u062a\u0627\u062d\u0629. \u064a\u0641\u062d\u0635:<\/p>\n \u064a\u062a\u0643\u0627\u0645\u0644 Trivy \u0628\u0633\u0647\u0648\u0644\u0629 \u0645\u0639 \u0623\u064a \u0645\u0646\u0635\u0629 CI\/CD \u062a\u0642\u0631\u064a\u0628\u064b\u0627. \u0625\u0644\u064a\u0643 \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 GitHub Actions:<\/p>\n \u0648\u0645\u062b\u0627\u0644 \u0639\u0644\u0649 GitLab CI:<\/p>\n Trivy \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0628\u0645\u0648\u062c\u0628 \u062a\u0631\u062e\u064a\u0635 Apache 2.0. \u0644\u0627 \u064a\u0648\u062c\u062f \u062a\u0645\u064a\u064a\u0632 \u0628\u064a\u0646 \u0645\u0633\u062a\u0648\u0649 \u0645\u062c\u0627\u0646\u064a \u0648\u0645\u062f\u0641\u0648\u0639 \u2014 \u0643\u0644 \u0645\u064a\u0632\u0629 \u0641\u064a Trivy \u0646\u0641\u0633\u0647 \u0645\u062c\u0627\u0646\u064a\u0629. \u062a\u0642\u062f\u0645 Aqua Security \u0645\u0646\u062a\u062c\u0627\u062a \u062a\u062c\u0627\u0631\u064a\u0629 (Aqua Platform) \u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 Trivy \u0644\u0627\u062d\u062a\u064a\u0627\u062c\u0627\u062a \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a.<\/p>\n Grype\u060c \u0627\u0644\u0630\u064a \u0637\u0648\u0631\u062a\u0647 Anchore\u060c \u0647\u0648 \u0645\u0627\u0633\u062d \u062b\u063a\u0631\u0627\u062a \u0645\u0635\u0645\u0645 \u062e\u0635\u064a\u0635\u064b\u0627 \u0644\u0644\u0639\u0645\u0644 \u0628\u0634\u0643\u0644 \u0623\u0635\u0644\u064a \u0645\u0639 SBOM. \u064a\u0641\u062d\u0635:<\/p>\n \u064a\u0639\u0645\u0644 Grype \u0628\u0634\u0643\u0644 \u062c\u064a\u062f \u0641\u064a \u0623\u064a \u0646\u0638\u0627\u0645 CI\/CD. \u0625\u0644\u064a\u0643 \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 GitHub Actions \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u0631\u0643\u064a\u0628\u0629 Syft + Grype:<\/p>\n Grype \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0628\u0645\u0648\u062c\u0628 \u062a\u0631\u062e\u064a\u0635 Apache 2.0. \u062a\u0642\u062f\u0645 Anchore \u0645\u0646\u062a\u062c Anchore Enterprise \u0644\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0625\u062f\u0627\u0631\u0629 \u0633\u064a\u0627\u0633\u0627\u062a \u0645\u0631\u0643\u0632\u064a\u0629 \u0648RBAC \u0648\u062a\u0642\u0627\u0631\u064a\u0631 \u0627\u0644\u0627\u0645\u062a\u062b\u0627\u0644 \u0648\u0625\u062f\u0627\u0631\u0629 \u062f\u0648\u0631\u0629 \u062d\u064a\u0627\u0629 SBOM.<\/p>\n Snyk \u0647\u064a \u0645\u0646\u0635\u0629 \u0623\u0645\u0627\u0646 \u062a\u062c\u0627\u0631\u064a\u0629 \u0645\u0639 \u0645\u0633\u062a\u0648\u0649 \u0645\u062c\u0627\u0646\u064a \u0633\u062e\u064a\u060c \u0645\u0635\u0645\u0645\u0629 \u0644\u062f\u0645\u062c \u0627\u0644\u0623\u0645\u0627\u0646 \u0645\u0628\u0627\u0634\u0631\u0629 \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u0645\u0637\u0648\u0631\u064a\u0646. \u062a\u0641\u062d\u0635:<\/p>\n \u064a\u0648\u0641\u0631 Snyk \u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0631\u0633\u0645\u064a\u0629 \u0648\u0623\u0648\u0627\u0645\u0631 CLI \u0644\u062c\u0645\u064a\u0639 \u0645\u0646\u0635\u0627\u062a CI\/CD \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629:<\/p>\n \u064a\u0642\u062f\u0645 Snyk \u0646\u0645\u0648\u0630\u062c \u062a\u0633\u0639\u064a\u0631 \u0645\u062a\u062f\u0631\u062c:<\/p>\n Checkov\u060c \u0627\u0644\u0630\u064a \u0637\u0648\u0631\u0647 Prisma Cloud (Palo Alto Networks)\u060c \u0647\u0648 \u0623\u062f\u0627\u0629 \u062a\u062d\u0644\u064a\u0644 \u062b\u0627\u0628\u062a \u0645\u0635\u0645\u0645\u0629 \u062e\u0635\u064a\u0635\u064b\u0627 \u0644\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0643\u0631\u0645\u0632. \u064a\u0641\u062d\u0635:<\/p>\n \u064a\u062a\u0643\u0627\u0645\u0644 Checkov \u0628\u0633\u0644\u0627\u0633\u0629 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD:<\/p>\n Checkov \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0628\u0645\u0648\u062c\u0628 \u062a\u0631\u062e\u064a\u0635 Apache 2.0. \u062c\u0645\u064a\u0639 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0645\u062f\u0645\u062c\u0629 \u0648\u0645\u062d\u0631\u0643 \u0627\u0644\u0641\u062d\u0635 \u0627\u0644\u0623\u0633\u0627\u0633\u064a \u0645\u062c\u0627\u0646\u064a\u0629. \u062a\u0642\u062f\u0645 Palo Alto Networks \u0645\u0646\u062a\u062c Prisma Cloud \u0644\u0645\u064a\u0632\u0627\u062a \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0644\u0648\u062d\u0627\u062a \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0627\u0644\u0645\u0631\u0643\u0632\u064a\u0629 \u0648\u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0627\u0646\u062d\u0631\u0627\u0641 \u0648\u062d\u0645\u0627\u064a\u0629 \u0648\u0642\u062a \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0648\u062f\u0639\u0645 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a.<\/p>\n \u0644\u0627 \u062a\u0648\u062c\u062f \u0623\u062f\u0627\u0629 \u0648\u0627\u062d\u062f\u0629 \u0647\u064a \u0627\u0644\u0623\u0641\u0636\u0644 \u0639\u0627\u0644\u0645\u064a\u064b\u0627. \u064a\u0639\u062a\u0645\u062f \u0627\u0644\u0645\u0627\u0633\u062d \u0627\u0644\u0645\u0646\u0627\u0633\u0628 \u0639\u0644\u0649 \u062d\u062c\u0645 \u0641\u0631\u064a\u0642\u0643 \u0648\u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645 \u0627\u0644\u0623\u0633\u0627\u0633\u064a \u0648\u0645\u064a\u0632\u0627\u0646\u064a\u062a\u0643 \u0648\u062a\u0641\u0636\u064a\u0644\u0627\u062a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644. \u0625\u0644\u064a\u0643 \u0645\u0635\u0641\u0648\u0641\u0629 \u0642\u0631\u0627\u0631 \u0639\u0645\u0644\u064a\u0629:<\/p>\n \u0641\u064a \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0629 \u0627\u0644\u0639\u0645\u0644\u064a\u0629\u060c \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0639\u0644\u0649 \u0645\u0627\u0633\u062d \u0623\u0645\u0627\u0646 \u0648\u0627\u062d\u062f \u064a\u062a\u0631\u0643 \u0641\u062c\u0648\u0627\u062a. \u062a\u062a\u0641\u0648\u0642 \u0643\u0644 \u0623\u062f\u0627\u0629 \u0641\u064a \u0645\u062c\u0627\u0644\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629\u060c \u0648\u0627\u0644\u0646\u0647\u062c \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u064a\u0648\u0641\u0631 \u062f\u0641\u0627\u0639\u064b\u0627 \u0641\u064a \u0627\u0644\u0639\u0645\u0642. \u0627\u0644\u0647\u062f\u0641 \u0644\u064a\u0633 \u062a\u0634\u063a\u064a\u0644 \u0643\u0644 \u0623\u062f\u0627\u0629 \u0639\u0644\u0649 \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0625\u064a\u062f\u0627\u0639 \u2014 \u0628\u0644 \u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0645\u0627\u0633\u062d \u0627\u0644\u0645\u0646\u0627\u0633\u0628 \u0644\u0644\u0645\u0647\u0645\u0629 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629.<\/p>\n \u0625\u0644\u064a\u0643 \u0641\u0644\u0633\u0641\u0629 \u0639\u0645\u0644\u064a\u0629 \u0644\u062f\u0645\u062c \u0627\u0644\u0623\u062f\u0648\u0627\u062a:<\/p>\n \u0625\u0644\u064a\u0643 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0643\u0627\u0645\u0644 \u064a\u062c\u0645\u0639 \u0627\u0644\u062b\u0644\u0627\u062b\u0629:<\/p>\n \u064a\u0634\u063a\u0651\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0647\u0630\u0627 Trivy \u0648Checkov \u0628\u0627\u0644\u062a\u0648\u0627\u0632\u064a (\u064a\u0641\u062d\u0635\u0627\u0646 \u0623\u0634\u064a\u0627\u0621 \u0645\u062e\u062a\u0644\u0641\u0629)\u060c \u062b\u0645 \u064a\u0634\u063a\u0644 Grype \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 SBOM \u0628\u0639\u062f \u062a\u0623\u0643\u064a\u062f \u0627\u0644\u062d\u0627\u0648\u064a\u0629. \u064a\u062a\u0645 \u0631\u0641\u0639 \u062c\u0645\u064a\u0639 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0628\u062a\u0646\u0633\u064a\u0642 SARIF \u0644\u062a\u0638\u0647\u0631 \u0641\u064a \u062a\u0628\u0648\u064a\u0628 \u0627\u0644\u0623\u0645\u0627\u0646 \u0641\u064a GitHub \u2014 \u0645\u0645\u0627 \u064a\u0645\u0646\u062d \u0641\u0631\u064a\u0642\u0643 \u0639\u0631\u0636\u064b\u0627 \u0645\u0648\u062d\u062f\u064b\u0627 \u0644\u0644\u0646\u062a\u0627\u0626\u062c \u0645\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062b\u0644\u0627\u062b.<\/p>\n \u0627\u0644\u0645\u0628\u0627\u062f\u0626 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0644\u062f\u0645\u062c \u0627\u0644\u0645\u0627\u0633\u062d\u0627\u062a \u0628\u0641\u0639\u0627\u0644\u064a\u0629:<\/p>\n \u0644\u0627 \u064a\u0648\u062c\u062f \u0645\u0627\u0633\u062d \u0623\u0645\u0627\u0646 CI\/CD \u0648\u0627\u062d\u062f “\u0623\u0641\u0636\u0644” \u2014 \u0641\u0642\u0637 \u0627\u0644\u0645\u0627\u0633\u062d \u0627\u0644\u0623\u0641\u0636\u0644 \u0644\u0633\u064a\u0627\u0642\u0643 \u0627\u0644\u0645\u062d\u062f\u062f. \u062a\u062a\u0641\u0648\u0642 \u0643\u0644 \u0645\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0623\u0631\u0628\u0639 \u0627\u0644\u062a\u064a \u0642\u0627\u0631\u0646\u0627\u0647\u0627 \u0641\u064a \u0645\u062c\u0627\u0644 \u0645\u062e\u062a\u0644\u0641:<\/p>\n \u0627\u0644\u0645\u0628\u062f\u0623 \u0627\u0644\u0623\u0647\u0645 \u0647\u0648 \u0647\u0630\u0627: \u0623\u0641\u0636\u0644 \u0645\u0627\u0633\u062d \u0647\u0648 \u0627\u0644\u0630\u064a \u064a\u0633\u062a\u062e\u062f\u0645\u0647 \u0641\u0631\u064a\u0642\u0643 \u0641\u0639\u0644\u064a\u064b\u0627 \u0628\u0634\u0643\u0644 \u0645\u0633\u062a\u0645\u0631.<\/strong> \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0645\u0643\u0648\u0651\u0646 \u0628\u0634\u0643\u0644 \u0645\u062b\u0627\u0644\u064a \u0644\u0643\u0646 \u064a\u0639\u0637\u0644\u0647 \u0627\u0644\u0645\u0637\u0648\u0631\u0648\u0646 \u0644\u0623\u0646\u0647 \u0628\u0637\u064a\u0621 \u062c\u062f\u064b\u0627 \u0623\u0648 \u0645\u0632\u0639\u062c \u062c\u062f\u064b\u0627 \u064a\u0648\u0641\u0631 \u0642\u064a\u0645\u0629 \u0623\u0645\u0646\u064a\u0629 \u0635\u0641\u0631\u064a\u0629. \u0627\u0628\u062f\u0623 \u0628\u0623\u062f\u0627\u0629 \u0648\u0627\u062d\u062f\u0629 \u062a\u0639\u0627\u0644\u062c \u0627\u0644\u0641\u062c\u0648\u0629 \u0627\u0644\u0623\u0643\u062b\u0631 \u0623\u0647\u0645\u064a\u0629 \u0644\u062f\u064a\u0643\u060c \u0648\u0627\u0636\u0628\u0637\u0647\u0627 \u0644\u062a\u0642\u0644\u064a\u0644 \u0627\u0644\u0625\u064a\u062c\u0627\u0628\u064a\u0627\u062a \u0627\u0644\u0643\u0627\u0630\u0628\u0629\u060c \u0648\u0623\u0636\u0641 \u0637\u0628\u0642\u0627\u062a \u0645\u0639 \u0646\u0636\u0648\u062c \u0628\u0631\u0646\u0627\u0645\u062c \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.<\/p>\n \u0644\u0645\u0639\u0638\u0645 \u0627\u0644\u0641\u0631\u0642 \u0627\u0644\u062a\u064a \u062a\u0628\u062f\u0623 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631\u060c \u0646\u0648\u0635\u064a \u0628\u0627\u0644\u0628\u062f\u0621 \u0628\u0640 Trivy<\/strong> \u0644\u0627\u062a\u0633\u0627\u0639\u0647 \u0648\u0646\u0642\u0637\u0629 \u062f\u062e\u0648\u0644\u0647 \u0627\u0644\u0645\u062c\u0627\u0646\u064a\u0629\u060c \u062b\u0645 \u0625\u0636\u0627\u0641\u0629 Checkov<\/strong> \u0628\u0645\u062c\u0631\u062f \u0646\u0645\u0648 \u0628\u0635\u0645\u0629 IaC \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0645\u0646 \u0647\u0646\u0627\u0643\u060c \u0642\u064a\u0651\u0645 \u0645\u0627 \u0625\u0630\u0627 \u0643\u0627\u0646 Grype<\/strong> (\u0644\u0633\u064a\u0631 \u0639\u0645\u0644 SBOM) \u0623\u0648 Snyk<\/strong> (\u0644\u062a\u062c\u0631\u0628\u0629 \u0627\u0644\u0645\u0637\u0648\u0631 \u0648\u0627\u0644\u0625\u0635\u0644\u0627\u062d\u0627\u062a \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a\u0629) \u064a\u0633\u062f \u0627\u0644\u0641\u062c\u0648\u0627\u062a \u0627\u0644\u0645\u062a\u0628\u0642\u064a\u0629 \u0641\u064a \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628\u0643.<\/p>\n \u0641\u062d\u0635 \u0627\u0644\u0623\u0645\u0627\u0646 \u0644\u064a\u0633 \u0625\u0639\u062f\u0627\u062f\u064b\u0627 \u0644\u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u2014 \u0625\u0646\u0647 \u0645\u0645\u0627\u0631\u0633\u0629 \u0645\u0633\u062a\u0645\u0631\u0629. \u0627\u062e\u062a\u0631 \u0623\u062f\u0648\u0627\u062a\u0643 \u0648\u0627\u062f\u0645\u062c\u0647\u0627 \u0628\u062a\u0645\u0639\u0651\u0646 \u0648\u0643\u0631\u0651\u0631. \u0633\u062a\u0634\u0643\u0631\u0643 \u0646\u0641\u0633\u0643 \u0627\u0644\u0645\u0633\u062a\u0642\u0628\u0644\u064a\u0629.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629 \u0644\u0645 \u064a\u0639\u062f \u062a\u0623\u0645\u064a\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0623\u0645\u0631\u064b\u0627 \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u064b\u0627 \u2014 \u0628\u0644 \u0623\u0635\u0628\u062d \u0645\u062a\u0637\u0644\u0628\u064b\u0627 \u0623\u0633\u0627\u0633\u064a\u064b\u0627 \u0644\u0623\u064a \u0645\u0624\u0633\u0633\u0629 \u0628\u0631\u0645\u062c\u064a\u0629 \u062d\u062f\u064a\u062b\u0629. \u0645\u0639 \u062a\u0632\u0627\u064a\u062f \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0646 \u062d\u064a\u062b \u0627\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u0627\u0644\u062a\u0639\u0642\u064a\u062f\u060c \u0641\u0625\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062f\u0645\u062c\u0647\u0627 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0646\u0634\u0631 \u062a\u062d\u062f\u062f \u0628\u0634\u0643\u0644 \u0645\u0628\u0627\u0634\u0631 \u0648\u0636\u0639\u0643 \u0627\u0644\u0623\u0645\u0646\u064a. \u0644\u0643\u0646 \u0645\u0639 \u062a\u0646\u0627\u0645\u064a \u0645\u0646\u0638\u0648\u0645\u0629 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0641\u062d\u0635\u060c \u0642\u062f \u064a\u0643\u0648\u0646 \u0627\u062e\u062a\u064a\u0627\u0631 \u0627\u0644\u0623\u062f\u0627\u0629 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629 (\u0623\u0648 \u0627\u0644\u062a\u0631\u0643\u064a\u0628\u0629 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629) … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,27],"tags":[],"post_folder":[],"class_list":["post-801","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=801"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/801\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=801"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0645\u0639\u0627\u064a\u064a\u0631 \u0627\u0644\u0627\u062e\u062a\u064a\u0627\u0631: \u0645\u0627 \u0627\u0644\u0630\u064a \u064a\u0647\u0645 \u0641\u064a \u0623\u062f\u0627\u0629 \u0641\u062d\u0635 \u0623\u0645\u0627\u0646 CI\/CD<\/h2>\n
\n
Trivy: \u0623\u062f\u0627\u0629 \u0627\u0644\u0641\u062d\u0635 \u0645\u0641\u062a\u0648\u062d\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0634\u0627\u0645\u0644\u0629<\/h2>\n
\u0645\u0627 \u0627\u0644\u0630\u064a \u064a\u0641\u062d\u0635\u0647 Trivy<\/h3>\n
\n
\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
trivy image your-image:tag<\/code> \u0648\u0633\u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0641\u0648\u0631\u064b\u0627. \u0644\u0627 \u062d\u0633\u0627\u0628\u0627\u062a \u0648\u0644\u0627 \u0645\u0641\u0627\u062a\u064a\u062d API \u0648\u0644\u0627 \u0645\u0644\u0641\u0627\u062a \u062a\u0643\u0648\u064a\u0646 \u0645\u0637\u0644\u0648\u0628\u0629 \u0644\u0644\u0641\u062d\u0635 \u0627\u0644\u0623\u0633\u0627\u0633\u064a.<\/li>\n\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
\u062a\u0643\u0627\u0645\u0644 CI\/CD<\/h3>\n
name: Trivy Container Scan\non: push\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n - name: Build image\n run: docker build -t myapp:${{ github.sha }} .\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity\/trivy-action@master\n with:\n image-ref: myapp:${{ github.sha }}\n format: table\n exit-code: 1\n severity: CRITICAL,HIGH<\/code><\/pre>\ntrivy-scan:\n stage: test\n image:\n name: aquasec\/trivy:latest\n entrypoint: [\"\"]\n script:\n - trivy image --exit-code 1 --severity CRITICAL,HIGH myapp:${CI_COMMIT_SHA}\n allow_failure: false<\/code><\/pre>\n\u0627\u0644\u062a\u0633\u0639\u064a\u0631<\/h3>\n
Grype: \u0645\u0627\u0633\u062d \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0635\u0644\u064a \u0644\u0640 SBOM<\/h2>\n
\u0645\u0627 \u0627\u0644\u0630\u064a \u064a\u0641\u062d\u0635\u0647 Grype<\/h3>\n
\n
\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
\u062a\u0643\u0627\u0645\u0644 CI\/CD<\/h3>\n
name: SBOM + Vulnerability Scan\non: push\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n - name: Build image\n run: docker build -t myapp:${{ github.sha }} .\n - name: Generate SBOM with Syft\n uses: anchore\/sbom-action@v0\n with:\n image: myapp:${{ github.sha }}\n output-file: sbom.spdx.json\n format: spdx-json\n - name: Scan SBOM with Grype\n uses: anchore\/scan-action@v4\n with:\n sbom: sbom.spdx.json\n fail-build: true\n severity-cutoff: high<\/code><\/pre>\n\u0627\u0644\u062a\u0633\u0639\u064a\u0631<\/h3>\n
Snyk: \u0645\u0646\u0635\u0629 \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0645\u0648\u062c\u0647\u0629 \u0644\u0644\u0645\u0637\u0648\u0631\u064a\u0646<\/h2>\n
\u0645\u0627 \u0627\u0644\u0630\u064a \u064a\u0641\u062d\u0635\u0647 Snyk<\/h3>\n
\n
\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
\u062a\u0643\u0627\u0645\u0644 CI\/CD<\/h3>\n
name: Snyk Security Scan\non: push\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n - name: Run Snyk to check for vulnerabilities\n uses: snyk\/actions\/node@master\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}\n with:\n args: --severity-threshold=high\n - name: Run Snyk Container scan\n uses: snyk\/actions\/docker@master\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}\n with:\n image: myapp:${{ github.sha }}\n args: --severity-threshold=high<\/code><\/pre>\n\u0627\u0644\u062a\u0633\u0639\u064a\u0631<\/h3>\n
\n
Checkov: \u0628\u0637\u0644 \u0623\u0645\u0627\u0646 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0643\u0631\u0645\u0632<\/h2>\n
\u0645\u0627 \u0627\u0644\u0630\u064a \u064a\u0641\u062d\u0635\u0647 Checkov<\/h3>\n
\n
\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
\u062a\u0643\u0627\u0645\u0644 CI\/CD<\/h3>\n
name: Checkov IaC Scan\non: push\njobs:\n checkov:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n - name: Run Checkov\n uses: bridgecrewio\/checkov-action@master\n with:\n directory: .\/terraform\n framework: terraform\n soft_fail: false\n output_format: sarif\n quiet: true<\/code><\/pre>\n\u0627\u0644\u062a\u0633\u0639\u064a\u0631<\/h3>\n
\u062c\u062f\u0648\u0644 \u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629 \u062c\u0646\u0628\u064b\u0627 \u0625\u0644\u0649 \u062c\u0646\u0628<\/h2>\n
\n\n
\n \n\u0627\u0644\u0645\u064a\u0632\u0629<\/th>\n Trivy<\/th>\n Grype<\/th>\n Snyk<\/th>\n Checkov<\/th>\n<\/tr>\n<\/thead>\n \n \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a<\/strong><\/td>\n \u0646\u0639\u0645 \u2014 \u062d\u0632\u0645 \u0646\u0638\u0627\u0645 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0648\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a<\/td>\n \u0646\u0639\u0645 \u2014 \u062d\u0632\u0645 \u0646\u0638\u0627\u0645 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0648\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a<\/td>\n \u0646\u0639\u0645 \u2014 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u0631\u0645\u0632<\/td>\n \u0644\u0627<\/td>\n<\/tr>\n \n \u0625\u0646\u0634\u0627\u0621 SBOM<\/strong><\/td>\n \u0646\u0639\u0645 (SPDX, CycloneDX)<\/td>\n \u0639\u0628\u0631 Syft (\u0623\u062f\u0627\u0629 \u0645\u0635\u0627\u062d\u0628\u0629)<\/td>\n \u0645\u062d\u062f\u0648\u062f<\/td>\n \u0644\u0627<\/td>\n<\/tr>\n \n \u0641\u062d\u0635 IaC<\/strong><\/td>\n \u0646\u0639\u0645 (Terraform, CF, K8s, Docker)<\/td>\n \u0644\u0627<\/td>\n \u0646\u0639\u0645 (Terraform, CF, K8s, ARM)<\/td>\n \u0646\u0639\u0645 \u2014 \u0623\u0643\u062b\u0631 \u0645\u0646 1,000 \u0633\u064a\u0627\u0633\u0629 \u0648\u062a\u062d\u0644\u064a\u0644 \u0639\u0645\u064a\u0642<\/td>\n<\/tr>\n \n \u0641\u062d\u0635 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a<\/strong><\/td>\n \u0646\u0639\u0645<\/td>\n \u0646\u0639\u0645<\/td>\n \u0646\u0639\u0645<\/td>\n Dockerfiles \u0641\u0642\u0637 (\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u062a\u0643\u0648\u064a\u0646)<\/td>\n<\/tr>\n \n \u0627\u0644\u0627\u0645\u062a\u062b\u0627\u0644 \u0644\u0644\u062a\u0631\u0627\u062e\u064a\u0635<\/strong><\/td>\n \u0646\u0639\u0645<\/td>\n \u0644\u0627<\/td>\n \u0646\u0639\u0645<\/td>\n \u0644\u0627<\/td>\n<\/tr>\n \n \u062a\u0643\u0627\u0645\u0644 CI\/CD<\/strong><\/td>\n \u0645\u0645\u062a\u0627\u0632 \u2014 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0646\u0635\u0627\u062a<\/td>\n \u062c\u064a\u062f \u2014 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0646\u0635\u0627\u062a<\/td>\n \u0645\u0645\u062a\u0627\u0632 \u2014 \u062a\u0643\u0627\u0645\u0644\u0627\u062a \u0623\u0635\u0644\u064a\u0629<\/td>\n \u0645\u0645\u062a\u0627\u0632 \u2014 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0646\u0635\u0627\u062a<\/td>\n<\/tr>\n \n \u0627\u0644\u0633\u0631\u0639\u0629<\/strong><\/td>\n \u0633\u0631\u064a\u0639 \u062c\u062f\u064b\u0627 (\u0642\u0627\u0639\u062f\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0645\u062e\u0632\u0646\u0629 \u0645\u0624\u0642\u062a\u064b\u0627)<\/td>\n \u0633\u0631\u064a\u0639<\/td>\n \u0645\u062a\u0648\u0633\u0637 (\u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a API)<\/td>\n \u0633\u0631\u064a\u0639 (\u062a\u062d\u0644\u064a\u0644 \u0645\u062d\u0644\u064a)<\/td>\n<\/tr>\n \n \u0645\u0639\u062f\u0644 \u0627\u0644\u0625\u064a\u062c\u0627\u0628\u064a\u0627\u062a \u0627\u0644\u0643\u0627\u0630\u0628\u0629<\/strong><\/td>\n \u0645\u0646\u062e\u0641\u0636<\/td>\n \u0645\u0646\u062e\u0641\u0636<\/td>\n \u0645\u0646\u062e\u0641\u0636 (\u0645\u0639 \u0627\u0644\u062a\u0631\u062a\u064a\u0628 \u062d\u0633\u0628 \u0627\u0644\u0623\u0648\u0644\u0648\u064a\u0629)<\/td>\n \u0645\u0646\u062e\u0641\u0636-\u0645\u062a\u0648\u0633\u0637 (\u064a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0627\u0644\u062a\u0643\u0648\u064a\u0646)<\/td>\n<\/tr>\n \n \u0627\u0644\u062a\u0633\u0639\u064a\u0631<\/strong><\/td>\n \u0645\u062c\u0627\u0646\u064a \/ \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631<\/td>\n \u0645\u062c\u0627\u0646\u064a \/ \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631<\/td>\n \u0645\u0633\u062a\u0648\u0649 \u0645\u062c\u0627\u0646\u064a \u062b\u0645 \u0641\u0631\u064a\u0642 \u062b\u0645 \u0645\u0624\u0633\u0633\u0627\u062a<\/td>\n \u0645\u062c\u0627\u0646\u064a \/ \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631<\/td>\n<\/tr>\n \n \u0627\u0644\u0623\u0641\u0636\u0644 \u0644\u0640<\/strong><\/td>\n \u0641\u062d\u0635 \u0634\u0627\u0645\u0644 \u0644\u0623\u064a \u0641\u0631\u064a\u0642<\/td>\n \u0641\u062d\u0635 \u062b\u063a\u0631\u0627\u062a \u064a\u0631\u0643\u0632 \u0639\u0644\u0649 SBOM<\/td>\n \u062a\u062c\u0631\u0628\u0629 \u0627\u0644\u0645\u0637\u0648\u0631 \u0648\u0623\u062a\u0645\u062a\u0629 \u0627\u0644\u0625\u0635\u0644\u0627\u062d<\/td>\n \u0627\u0645\u062a\u062b\u0627\u0644 IaC \u0648\u0625\u0646\u0641\u0627\u0630 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u0645\u062a\u0649 \u062a\u0633\u062a\u062e\u062f\u0645 \u0623\u064a \u0623\u062f\u0627\u0629: \u0645\u0635\u0641\u0648\u0641\u0629 \u0627\u0644\u0642\u0631\u0627\u0631<\/h2>\n
\u0627\u062e\u062a\u0631 Trivy \u0625\u0630\u0627…<\/h3>\n
\n
\u0627\u062e\u062a\u0631 Grype + Syft \u0625\u0630\u0627…<\/h3>\n
\n
\u0627\u062e\u062a\u0631 Snyk \u0625\u0630\u0627…<\/h3>\n
\n
\u0627\u062e\u062a\u0631 Checkov \u0625\u0630\u0627…<\/h3>\n
\n
\u062a\u0631\u0643\u064a\u0628\u0627\u062a \u0627\u0644\u062a\u063a\u0637\u064a\u0629 \u0627\u0644\u0642\u0635\u0648\u0649<\/h3>\n
\n
\u062f\u0645\u062c \u0627\u0644\u0623\u062f\u0648\u0627\u062a: \u0628\u0646\u0627\u0621 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0645\u0627\u0633\u062d\u0627\u062a<\/h2>\n
\n
name: Multi-Scanner Security Pipeline\non:\n push:\n branches: [main]\n pull_request:\n branches: [main]\n\njobs:\n trivy-container-scan:\n name: Trivy \u2014 Container Vulnerabilities\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n - name: Build image\n run: docker build -t myapp:${{ github.sha }} .\n - name: Trivy vulnerability scan\n uses: aquasecurity\/trivy-action@master\n with:\n image-ref: myapp:${{ github.sha }}\n format: sarif\n output: trivy-results.sarif\n exit-code: 1\n severity: CRITICAL,HIGH\n - name: Upload Trivy SARIF\n uses: github\/codeql-action\/upload-sarif@v3\n if: always()\n with:\n sarif_file: trivy-results.sarif\n\n checkov-iac-scan:\n name: Checkov \u2014 IaC Compliance\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n - name: Checkov IaC scan\n uses: bridgecrewio\/checkov-action@master\n with:\n directory: .\/terraform\n framework: terraform\n output_format: sarif\n soft_fail: false\n - name: Upload Checkov SARIF\n uses: github\/codeql-action\/upload-sarif@v3\n if: always()\n with:\n sarif_file: results.sarif\n\n sbom-verification:\n name: Grype + Syft \u2014 SBOM Verification\n runs-on: ubuntu-latest\n needs: trivy-container-scan\n steps:\n - uses: actions\/checkout@v4\n - name: Build image\n run: docker build -t myapp:${{ github.sha }} .\n - name: Generate SBOM with Syft\n uses: anchore\/sbom-action@v0\n with:\n image: myapp:${{ github.sha }}\n output-file: sbom.spdx.json\n format: spdx-json\n - name: Upload SBOM as artifact\n uses: actions\/upload-artifact@v4\n with:\n name: sbom\n path: sbom.spdx.json\n - name: Scan SBOM with Grype\n uses: anchore\/scan-action@v4\n with:\n sbom: sbom.spdx.json\n fail-build: true\n severity-cutoff: high\n output-format: sarif\n - name: Upload Grype SARIF\n uses: github\/codeql-action\/upload-sarif@v3\n if: always()\n with:\n sarif_file: results.sarif<\/code><\/pre>\n\n
\u0627\u0644\u062e\u0627\u062a\u0645\u0629<\/h2>\n
\n