Compare commits
9 Commits
d0292ac192
...
develop
| Author | SHA1 | Date | |
|---|---|---|---|
|
a0d1e10c78 | ||
|
|
88892ac425 | ||
|
|
b7d091c84a | ||
|
|
93ba03f619 | ||
|
|
92d7e04154 | ||
|
|
51834e732e | ||
|
|
3498a23ee1 | ||
|
|
c5b66c4298 | ||
|
|
f3984f8b57 |
41
.gitea/workflows/image-scan.yaml
Normal file
41
.gitea/workflows/image-scan.yaml
Normal file
@@ -0,0 +1,41 @@
|
||||
name: Scan Image for CVEs
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- develop
|
||||
|
||||
env: # global: unkritische, strukturgebende Variablen
|
||||
TARGET_HOST: host.containers.internal
|
||||
TARGET_USER: traefik
|
||||
CONTAINER_NAME: localhost/valtrix-website
|
||||
|
||||
jobs:
|
||||
scan_image:
|
||||
runs-on: ubuntu-latest
|
||||
env: # Job-spezifisch: Secrets und sensible Werte
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
|
||||
|
||||
steps:
|
||||
- name: Setup SSH for git/scp
|
||||
shell: bash
|
||||
run: |
|
||||
install -m 700 -d ~/.ssh
|
||||
printf "%s\n" "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
printf "%s\n" "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts || true
|
||||
chmod 644 ~/.ssh/known_hosts
|
||||
# Ensure host keys exist
|
||||
(ssh-keygen -F "$TARGET_HOST" >/dev/null || ssh-keyscan -H "$TARGET_HOST" >> ~/.ssh/known_hosts) || true
|
||||
(ssh-keygen -F gitea.smb-corp.de >/dev/null || ssh-keyscan -H gitea.smb-corp.de >> ~/.ssh/known_hosts) || true
|
||||
|
||||
- name: Scan container image with Trivy
|
||||
shell: bash
|
||||
run: |
|
||||
ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
|
||||
set -euo pipefail
|
||||
export CONTAINER_NAME='$CONTAINER_NAME'
|
||||
trivy image localhost/valtrix-website:latest
|
||||
"
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,5 +1,4 @@
|
||||
node_modules
|
||||
package-lock.json
|
||||
dist
|
||||
.env
|
||||
.DS_Store
|
||||
|
||||
@@ -1,34 +1,26 @@
|
||||
###########
|
||||
# BUILD STAGE
|
||||
###########
|
||||
FROM cgr.dev/chainguard/node:latest-dev AS build
|
||||
# Multi-stage build for Astro static site
|
||||
FROM node:22-alpine AS builder
|
||||
WORKDIR /app
|
||||
|
||||
# Copy dependency manifests
|
||||
# Install deps
|
||||
COPY package*.json ./
|
||||
RUN npm ci || npm install
|
||||
|
||||
# Install all deps (inkl. dev)
|
||||
RUN --mount=type=cache,target=/root/.npm npm ci
|
||||
|
||||
# Copy app source and build
|
||||
# Copy sources and build static output
|
||||
COPY . .
|
||||
RUN npm run build
|
||||
|
||||
###########
|
||||
# RUNTIME STAGE
|
||||
###########
|
||||
FROM cgr.dev/chainguard/node:latest
|
||||
ENV NODE_ENV=production
|
||||
# ---- Runtime stage ----
|
||||
FROM node:22-alpine AS runtime
|
||||
WORKDIR /app
|
||||
|
||||
# Copy only what’s needed to run
|
||||
COPY --from=build /app/package*.json ./
|
||||
COPY --from=build /app/node_modules ./node_modules
|
||||
COPY --from=build /app/dist ./dist
|
||||
COPY --from=build /app/server.mjs ./server.mjs
|
||||
|
||||
# Chainguard runs as nonroot by default (user `nonroot`)
|
||||
USER nonroot
|
||||
ENV NODE_ENV=production
|
||||
ENV PORT=3000
|
||||
ENV WEB_ROOT=/app/dist
|
||||
ENV TZ=Europe/Berlin
|
||||
ENV ASTRO_TELEMETRY_DISABLED=1
|
||||
COPY --from=builder /app/dist /app/dist
|
||||
COPY server.mjs /app/server.mjs
|
||||
# Drop root: use the pre-created node user
|
||||
USER node
|
||||
#EXPOSE 3000
|
||||
|
||||
CMD ["node", "./server.mjs"]
|
||||
CMD ["node", "/app/server.mjs"]
|
||||
|
||||
6320
package-lock.json
generated
Normal file
6320
package-lock.json
generated
Normal file
File diff suppressed because it is too large
Load Diff
@@ -3,7 +3,7 @@ import Base from "../../layouts/Base.astro";
|
||||
const benefits = [
|
||||
{ title: "Zero-Trust & Härtung", text: "Security-by-Design, CIS/BSI-Richtlinien, automatisierte Policies." },
|
||||
{ title: "Cloud Foundations", text: "Landing Zones, Identity, Observability – sauber & skalierbar." },
|
||||
{ title: "Automatisierung", text: "IaC/CI/CD, GitOps, wiederholbar & auditfähig." }
|
||||
{ title: "Automatisierung", text: "IaC, CI/CD, GitOps, wiederholbar & auditfähig." }
|
||||
];
|
||||
const approach = [
|
||||
{ title: 'Assess', text: 'Risiko- und Reifegradanalyse: schneller Quick-Scan, klare Prioritäten.' },
|
||||
@@ -46,7 +46,7 @@ const approach = [
|
||||
<h2 class="text-2xl font-bold mb-6">Leistungen</h2>
|
||||
<div class="grid md:grid-cols-3 gap-6">
|
||||
<div class="p-6 border rounded-brand card">
|
||||
<h3 class="font-semibold text-lg">Cloud & DevOps</h3>
|
||||
<h3 class="font-semibold text-lg">Cloud & DevSecOps</h3>
|
||||
<p class="mt-2 text-textMuted">Plan, Build & Run – effizient, sicher, skalierbar.</p>
|
||||
<a href="/de/leistungen" class="mt-3 inline-block text-primary underline">Mehr erfahren</a>
|
||||
</div>
|
||||
|
||||
@@ -3,10 +3,10 @@ import Base from "../../layouts/Base.astro";
|
||||
const benefits = [
|
||||
{ title: "Zero-Trust & Hardening", text: "Security-by-Design, CIS/BSI guidelines, automated policies." },
|
||||
{ title: "Cloud Foundations", text: "Landing zones, identity, observability – clean & scalable." },
|
||||
{ title: "Automation", text: "IaC/CI/CD, GitOps, reproducible & auditable." }
|
||||
{ title: "Automation", text: "IaC, CI/CD, GitOps, reproducible & auditable." }
|
||||
];
|
||||
const features = [
|
||||
{ title: "Cloud & DevOps", text: "Plan, Build & Run – efficient, secure, scalable." },
|
||||
{ title: "Cloud & SecOps", text: "Plan, Build & Run – efficient, secure, scalable." },
|
||||
{ title: "Security & Compliance", text: "BSI/ISO-aligned, Zero-Trust, audits, policies-as-code." },
|
||||
{ title: "AI & Automation", text: "RAG, agents & process automation with measurable outcome." }
|
||||
];
|
||||
|
||||
Reference in New Issue
Block a user