---
name: Vulnerability Scan

on:
  schedule:
    - cron: "0 14 * * *"
  workflow_dispatch:

jobs:
  scan:
    name: Daily Vulnerability Scan
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest

    steps:
      - name: Pull docker image
        run: docker pull docker.asperti.com/paspo/hugo:latest

      - uses: actions/cache/restore@v4
        with:
          path: |
            /root/.cache/trivy
          key: trivy-db

      - name: Setup trivy
        run: |
          wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
          dpkg -i /tmp/trivy.deb

      - name: Run Trivy vulnerability scanner
        id: scan
        run: |
          trivy image --format json docker.asperti.com/paspo/hugo:latest > trivy-results.json

      - uses: actions/cache/save@v4
        if: always()  # salva in cache anche se trova vulnerabilità
        with:
          path: |
            /root/.cache/trivy
          key: trivy-db

      # if some vulnerability is found, we fail
      - name: check output
        id: vulncount
        run: |
          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi

      - name: send telegram notification
        if: failure()
        uses: appleboy/telegram-action@master
        with:
          to: ${{ secrets.TELEGRAM_TO }}
          token: ${{ secrets.TELEGRAM_TOKEN }}
          format: markdown
          message: |
            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`