From 25eb14f93b1181c40fcce18c66e93e55cd11bdf6 Mon Sep 17 00:00:00 2001 From: paspo Date: Mon, 2 Dec 2024 16:43:11 +0100 Subject: [PATCH] cached trivy db --- .gitea/workflows/vulnscan.yaml | 41 ++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index 9bb6a0b..655df7a 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,3 +1,4 @@ +--- name: Vulnerability Scan on: @@ -15,17 +16,43 @@ jobs: steps: - name: Pull docker image run: docker pull docker.asperti.com/paspo/ftps:latest - # run: docker pull git.asperti.com/paspo/docker-ftps:latest + + - uses: actions/cache/restore@v4 + with: + path: | + /root/.cache/trivy + key: trivy-db + + - name: Setup trivy + run: | + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb + dpkg -i /tmp/trivy.deb - name: Run Trivy vulnerability scanner id: scan - uses: aquasecurity/trivy-action@master + run: | + trivy image --format json docker.asperti.com/paspo/ftps:latest > trivy-results.json + + - uses: actions/cache/save@v4 + if: always() # salva in cache anche se trova vulnerabilità with: - image-ref: "docker.asperti.com/paspo/ftps:latest" - # image-ref: "git.asperti.com/paspo/docker-ftps:latest" - format: "json" - output: "trivy-results.json" + path: | + /root/.cache/trivy + key: trivy-db # if some vulnerability is found, we fail - name: check output - run: if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`