cached trivy db

2024-12-02 16:43:55 +01:00 · 2024-12-02 16:43:55 +01:00 · a22cadeb8d
commit a22cadeb8d
parent 5395d75a23
1 changed files with 59 additions and 42 deletions
--- a/.gitea/workflows/vulnscan.yaml
+++ b/.gitea/workflows/vulnscan.yaml
@ -1,42 +1,59 @@
-name: Vulnerability Scan
+---
-
+  name: Vulnerability Scan
-on:
+  
-  schedule:
+  on:
-    - cron: "0 14 * * *"
+    schedule:
-  workflow_dispatch:
+      - cron: "0 14 * * *"
-
+    workflow_dispatch:
-jobs:
+  
-  scan:
+  jobs:
-    name: Daily Vulnerability Scan
+    scan:
-    runs-on: ubuntu-latest
+      name: Daily Vulnerability Scan
-    container:
+      runs-on: ubuntu-latest
-      image: catthehacker/ubuntu:act-latest
+      container:
-
+        image: catthehacker/ubuntu:act-latest
-    steps:
+  
-      - name: Pull docker image
+      steps:
-        run: docker pull docker.asperti.com/${{ github.repository_owner }}/smtp-relay:latest
+        - name: Pull docker image
-
+          run: docker pull docker.asperti.com/paspo/smtp-relay:latest
-      - name: Run Trivy vulnerability scanner
+  
-        id: scan
+        - uses: actions/cache/restore@v4
-        uses: aquasecurity/trivy-action@master
+          with:
-        with:
+            path: |
-          image-ref: "docker.asperti.com/${{ github.repository_owner }}/smtp-relay:latest"
+              /root/.cache/trivy
-          format: "json"
+            key: trivy-db
-          output: "trivy-results.json"
+  
-
+        - name: Setup trivy
-      # if some vulnerability is found, we fail
+          run: |
-      - name: check output
+            wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
-        id: vulncount
+            dpkg -i /tmp/trivy.deb
-        run: |
+  
-          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+        - name: Run Trivy vulnerability scanner
-          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+          id: scan
-
+          run: |
-      - name: send telegram notification
+            trivy image --format json docker.asperti.com/paspo/smtp-relay:latest > trivy-results.json
-        if: failure()
+  
-        uses: appleboy/telegram-action@master
+        - uses: actions/cache/save@v4
-        with:
+          if: always()  # salva in cache anche se trova vulnerabilità
-          to: ${{ secrets.TELEGRAM_TO }}
+          with:
-          token: ${{ secrets.TELEGRAM_TOKEN }}
+            path: |
-          format: markdown
+              /root/.cache/trivy
-          message: |
+            key: trivy-db
-            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
+  
        # if some vulnerability is found, we fail
        - name: check output
          id: vulncount
          run: |
            echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
            if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
        - name: send telegram notification
          if: failure()
          uses: appleboy/telegram-action@master
          with:
            to: ${{ secrets.TELEGRAM_TO }}
            token: ${{ secrets.TELEGRAM_TOKEN }}
            format: markdown
            message: |
              Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`