name: Vulnerability Scan on: schedule: - cron: "0 14 * * *" workflow_dispatch: jobs: scan: name: Daily Vulnerability Scan runs-on: ubuntu-latest container: image: catthehacker/ubuntu:act-latest steps: - name: Pull docker image run: docker pull docker.asperti.com/${{ github.repository_owner }}/hugo:latest - name: Run Trivy vulnerability scanner id: scan uses: aquasecurity/trivy-action@master with: image-ref: "docker.asperti.com/${{ github.repository_owner }}/hugo:latest" format: "json" output: "trivy-results.json" # if some vulnerability is found, we fail - name: check output id: vulncount run: | echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi - name: send telegram notification if: failure() uses: appleboy/telegram-action@master with: to: ${{ secrets.TELEGRAM_TO }} token: ${{ secrets.TELEGRAM_TOKEN }} format: markdown message: | Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`