Compare commits
2 Commits
5397333257
...
6ddd595b68
| Author | SHA1 | Date | |
|---|---|---|---|
6ddd595b68
|
|||
|
01f937a6c6
|
@@ -1,45 +0,0 @@
|
||||
local Pipeline(mariadb_version) = {
|
||||
kind: "pipeline",
|
||||
type: "docker",
|
||||
name: "maria-" + mariadb_version,
|
||||
steps: [
|
||||
{
|
||||
name: "build_and_publish_" + mariadb_version,
|
||||
image: "plugins/docker:linux-amd64",
|
||||
pull: "always",
|
||||
settings: {
|
||||
dockerfile: "Dockerfile",
|
||||
build_args: [
|
||||
"MARIA_VERSION=" + mariadb_version,
|
||||
],
|
||||
registry: "docker.asperti.com",
|
||||
repo: "docker.asperti.com/paspo/mariadb-backup-slave",
|
||||
username: {
|
||||
from_secret: "docker_username",
|
||||
},
|
||||
password: {
|
||||
from_secret: "docker_password",
|
||||
},
|
||||
tags: [ "latest-" + mariadb_version, "maria-" + mariadb_version ],
|
||||
auto_tag: false,
|
||||
force_tag: true,
|
||||
daemon_off: false,
|
||||
}
|
||||
}
|
||||
],
|
||||
trigger: {
|
||||
event: ['tag'],
|
||||
}
|
||||
};
|
||||
|
||||
[
|
||||
Pipeline("11.4"),
|
||||
Pipeline("11.3"),
|
||||
Pipeline("11.2"),
|
||||
Pipeline("11.1"),
|
||||
Pipeline("11.0"),
|
||||
Pipeline("10.11"),
|
||||
Pipeline("10.6"),
|
||||
Pipeline("10.5"),
|
||||
Pipeline("10.4"),
|
||||
]
|
||||
65
.gitea/workflows/vulnscan.yaml
Normal file
65
.gitea/workflows/vulnscan.yaml
Normal file
@@ -0,0 +1,65 @@
|
||||
---
|
||||
name: Vulnerability Scan
|
||||
|
||||
env:
|
||||
REGISTRY: docker.asperti.com
|
||||
REPOSITORY: paspo/mariadb-backup-slave
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 14 * * *"
|
||||
workflow_dispatch:
|
||||
workflow_call:
|
||||
workflow_run:
|
||||
workflows: [build_and_publish.yaml]
|
||||
types: [completed]
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Daily Vulnerability Scan
|
||||
runs-on:
|
||||
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
|
||||
container:
|
||||
image: catthehacker/ubuntu:act-latest
|
||||
strategy:
|
||||
matrix:
|
||||
arch: [amd64, arm64]
|
||||
version: ["10.6", "10.11", "11.4", "11.8"]
|
||||
|
||||
steps:
|
||||
- name: Pull docker image
|
||||
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.version }}-${{ matrix.arch }}
|
||||
|
||||
- name: Setup trivy
|
||||
run: |
|
||||
echo "Installing Trivy for arch: $(uname -m)"
|
||||
case $(uname -m) in
|
||||
x86_64)
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
|
||||
aarch64)
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
|
||||
*) exit 1 ;;
|
||||
esac
|
||||
dpkg -i /tmp/trivy.deb
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
id: scan
|
||||
run: |
|
||||
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.version }}-${{ matrix.arch }} > trivy-results.json
|
||||
|
||||
# if some vulnerability is found, we fail
|
||||
- name: check output
|
||||
id: vulncount
|
||||
run: |
|
||||
echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
|
||||
if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
|
||||
|
||||
- name: send telegram notification
|
||||
if: failure()
|
||||
uses: appleboy/telegram-action@master
|
||||
with:
|
||||
to: ${{ secrets.TELEGRAM_TO }}
|
||||
token: ${{ secrets.TELEGRAM_TOKEN }}
|
||||
format: markdown
|
||||
message: |
|
||||
Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
|
||||
Reference in New Issue
Block a user