Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
2cb032520a
|
|||
|
604863c39c
|
|||
|
4218c4fac3
|
|||
|
990ac9e0a8
|
|||
|
4fd2ca42dd
|
|||
|
46ef5a68a2
|
|||
|
e6c28c3b15
|
|||
|
d2824d0831
|
|||
|
fb51b8e9da
|
@ -1,7 +1,7 @@
|
||||
def main(ctx):
|
||||
archs = ["amd64", "arm64"] ## arm
|
||||
glpi_version = "10.0.16"
|
||||
alpine_version = "3.20"
|
||||
glpi_version = "10.0.18"
|
||||
alpine_version = "3.21"
|
||||
|
||||
out = []
|
||||
for arch in archs:
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
---
|
||||
name: Vulnerability Scan
|
||||
|
||||
on:
|
||||
@ -16,14 +17,36 @@ jobs:
|
||||
- name: Pull docker image
|
||||
run: docker pull docker.asperti.com/paspo/glpi:latest
|
||||
|
||||
- name: Setup trivy
|
||||
run: |
|
||||
echo "Installing Trivy for arch: $(uname -m)"
|
||||
case $(uname -m) in
|
||||
x86_64)
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
|
||||
aarch64)
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
|
||||
*) exit 1 ;;
|
||||
esac
|
||||
dpkg -i /tmp/trivy.deb
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
id: scan
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: "docker.asperti.com/paspo/glpi:latest"
|
||||
format: "json"
|
||||
output: "trivy-results.json"
|
||||
run: |
|
||||
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/glpi:latest > trivy-results.json
|
||||
|
||||
# if some vulnerability is found, we fail
|
||||
- name: check output
|
||||
run: if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
|
||||
id: vulncount
|
||||
run: |
|
||||
echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
|
||||
if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
|
||||
|
||||
- name: send telegram notification
|
||||
if: failure()
|
||||
uses: appleboy/telegram-action@master
|
||||
with:
|
||||
to: ${{ secrets.TELEGRAM_TO }}
|
||||
token: ${{ secrets.TELEGRAM_TOKEN }}
|
||||
format: markdown
|
||||
message: |
|
||||
Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
|
||||
|
||||
@ -13,6 +13,9 @@ RUN \
|
||||
chmod +x /usr/local/bin/composer && \
|
||||
wget -O - https://github.com/glpi-project/glpi/releases/download/${GLPI_VERSION}/glpi-${GLPI_VERSION}.tgz | tar xz -C /var/www
|
||||
|
||||
# GLPI 10.x will work only with PHP up to 8.3.
|
||||
# do not trust README.md from glpi github (it says it works with 8.4, but it dies if >=8.4.0)
|
||||
|
||||
# this are needed if you want to manually install GLPI from git
|
||||
# RUN \
|
||||
# apk add patch npm gettext
|
||||
|
||||
@ -1,9 +1,11 @@
|
||||
#!/bin/sh
|
||||
|
||||
INSTALL_OK=${INSTALL_OK:-0}
|
||||
|
||||
chown -R nginx:www-data /logs /config /files /marketplace
|
||||
chmod -R a-x,a=rX,ug+w /logs /config /files /marketplace
|
||||
|
||||
if [ "$INSTALL_OK" = "1" ] ; then
|
||||
if [ "${INSTALL_OK}" = "1" ] ; then
|
||||
if [ -f /var/www/glpi/install/install.php ] ; then
|
||||
rm /var/www/glpi/install/install.php
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user