From a22cadeb8d3b42bed1fcad14c6c6763d133bd015 Mon Sep 17 00:00:00 2001 From: paspo Date: Mon, 2 Dec 2024 16:43:55 +0100 Subject: [PATCH] cached trivy db --- .gitea/workflows/vulnscan.yaml | 101 +++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 42 deletions(-) diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index e84a052..1c36a34 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,42 +1,59 @@ -name: Vulnerability Scan - -on: - schedule: - - cron: "0 14 * * *" - workflow_dispatch: - -jobs: - scan: - name: Daily Vulnerability Scan - runs-on: ubuntu-latest - container: - image: catthehacker/ubuntu:act-latest - - steps: - - name: Pull docker image - run: docker pull docker.asperti.com/${{ github.repository_owner }}/smtp-relay:latest - - - name: Run Trivy vulnerability scanner - id: scan - uses: aquasecurity/trivy-action@master - with: - image-ref: "docker.asperti.com/${{ github.repository_owner }}/smtp-relay:latest" - format: "json" - output: "trivy-results.json" - - # if some vulnerability is found, we fail - - name: check output - id: vulncount - run: | - echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} - if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi - - - name: send telegram notification - if: failure() - uses: appleboy/telegram-action@master - with: - to: ${{ secrets.TELEGRAM_TO }} - token: ${{ secrets.TELEGRAM_TOKEN }} - format: markdown - message: | - Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}` +--- + name: Vulnerability Scan + + on: + schedule: + - cron: "0 14 * * *" + workflow_dispatch: + + jobs: + scan: + name: Daily Vulnerability Scan + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Pull docker image + run: docker pull docker.asperti.com/paspo/smtp-relay:latest + + - uses: actions/cache/restore@v4 + with: + path: | + /root/.cache/trivy + key: trivy-db + + - name: Setup trivy + run: | + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb + dpkg -i /tmp/trivy.deb + + - name: Run Trivy vulnerability scanner + id: scan + run: | + trivy image --format json docker.asperti.com/paspo/smtp-relay:latest > trivy-results.json + + - uses: actions/cache/save@v4 + if: always() # salva in cache anche se trova vulnerabilità + with: + path: | + /root/.cache/trivy + key: trivy-db + + # if some vulnerability is found, we fail + - name: check output + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}` + \ No newline at end of file