docker-dnscache/.gitea/workflows/vulnscan.yaml

name: Vulnerability Scan

on:
  schedule:
    - cron: "0 14 * * *"
  workflow_dispatch:

jobs:
  scan:
    name: Daily Vulnerability Scan
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest

    steps:
      - name: Pull docker image
        run: docker pull docker.asperti.com/paspo/dnscache:latest

      - name: Setup trivy
        run: |
          echo "Installing Trivy for arch: $(uname -m)"
          case $(uname -m) in
            x86_64)
              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
            aarch64)
              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
            *) exit 1 ;;
          esac
          dpkg -i /tmp/trivy.deb

      - name: Run Trivy vulnerability scanner
        id: scan
        run: |
          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/dnscache:latest > trivy-results.json

      # if some vulnerability is found, we fail
      - name: check output
        id: vulncount
        run: |
          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi

      - name: send telegram notification
        if: failure()
        uses: appleboy/telegram-action@master
        with:
          to: ${{ secrets.TELEGRAM_TO }}
          token: ${{ secrets.TELEGRAM_TOKEN }}
          format: markdown
          message: |
            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
initial import 2024-03-28 10:26:52 +01:00			`name: Vulnerability Scan`

			`on:`
			`schedule:`
			`- cron: "0 14 * * *"`
			`workflow_dispatch:`

			`jobs:`
			`scan:`
			`name: Daily Vulnerability Scan`
			`runs-on: ubuntu-latest`
			`container:`
			`image: catthehacker/ubuntu:act-latest`

			`steps:`
			`- name: Pull docker image`
			`run: docker pull docker.asperti.com/paspo/dnscache:latest`

cached trivy db 2024-12-02 16:23:52 +01:00			`- name: Setup trivy`
			`run: \|`
multiarch trivy 2025-01-17 07:57:03 +01:00			`echo "Installing Trivy for arch: $(uname -m)"`
			`case $(uname -m) in`
			`x86_64)`
			`wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;`
			`aarch64)`
			`wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;`
			`*) exit 1 ;;`
			`esac`
cached trivy db 2024-12-02 16:23:52 +01:00			`dpkg -i /tmp/trivy.deb`

initial import 2024-03-28 10:26:52 +01:00			`- name: Run Trivy vulnerability scanner`
			`id: scan`
cached trivy db 2024-12-02 16:23:52 +01:00			`run: \|`
fix trivy 2025-01-17 00:02:47 +01:00			`trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/dnscache:latest > trivy-results.json`
initial import 2024-03-28 10:26:52 +01:00
			`# if some vulnerability is found, we fail`
			`- name: check output`
telegram vuln notification 2024-04-29 23:22:03 +02:00			`id: vulncount`
			`run: \|`
			`echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities\|length' trivy-results.json)" >> ${GITHUB_OUTPUT}`
			`if [ $(jq '.Results[0].Vulnerabilities\|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi`

			`- name: send telegram notification`
			`if: failure()`
			`uses: appleboy/telegram-action@master`
			`with:`
			`to: ${{ secrets.TELEGRAM_TO }}`
			`token: ${{ secrets.TELEGRAM_TOKEN }}`
			`format: markdown`
			`message: \|`
			Found ${{ steps.vulncount.outputs.VULNCOUNT }} vulnerabilities in `${{ github.repository }}`