diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index 56391f1..a357756 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,3 +1,4 @@ +--- name: Vulnerability Scan on: @@ -16,14 +17,42 @@ jobs: - name: Pull docker image run: docker pull docker.asperti.com/paspo/glpi:latest + - uses: actions/cache/restore@v4 + with: + path: | + /root/.cache/trivy + key: trivy-db + + - name: Setup trivy + run: | + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb + dpkg -i /tmp/trivy.deb + - name: Run Trivy vulnerability scanner id: scan - uses: aquasecurity/trivy-action@master + run: | + trivy image --format json docker.asperti.com/paspo/glpi:latest > trivy-results.json + + - uses: actions/cache/save@v4 + if: always() # salva in cache anche se trova vulnerabilità with: - image-ref: "docker.asperti.com/paspo/glpi:latest" - format: "json" - output: "trivy-results.json" + path: | + /root/.cache/trivy + key: trivy-db # if some vulnerability is found, we fail - name: check output - run: if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`