--- name: Vulnerability Scan env: REGISTRY: docker.asperti.com REPOSITORY: paspo/docker-aptly-pusher on: schedule: - cron: "0 14 * * *" workflow_dispatch: workflow_call: workflow_run: workflows: [build_and_publish.yaml] types: [completed] jobs: scan: name: Daily Vulnerability Scan runs-on: labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] container: image: catthehacker/ubuntu:act-latest strategy: matrix: arch: [amd64, arm64] steps: - name: Pull docker image run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest - name: Setup trivy run: | echo "Installing Trivy for arch: $(uname -m)" case $(uname -m) in x86_64) wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;; aarch64) wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;; *) exit 1 ;; esac dpkg -i /tmp/trivy.deb - name: Run Trivy vulnerability scanner id: scan run: | trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json # if some vulnerability is found, we fail - name: check output id: vulncount run: | echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi - name: send telegram notification if: failure() uses: appleboy/telegram-action@master with: to: ${{ secrets.TELEGRAM_TO }} token: ${{ secrets.TELEGRAM_TOKEN }} format: markdown message: | Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`