cached trivy db

2024-12-02 16:43:55 +01:00 · 2024-12-02 16:43:55 +01:00 · a22cadeb8d
commit a22cadeb8d
parent 5395d75a23
1 changed files with 59 additions and 42 deletions
--- a/.gitea/workflows/vulnscan.yaml
+++ b/.gitea/workflows/vulnscan.yaml
@ -1,42 +1,59 @@
-name: Vulnerability Scan
+---
+  name: Vulnerability Scan
  
-on:
-  schedule:
-    - cron: "0 14 * * *"
-  workflow_dispatch:
+  on:
+    schedule:
+      - cron: "0 14 * * *"
+    workflow_dispatch:
  
-jobs:
-  scan:
-    name: Daily Vulnerability Scan
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
+  jobs:
+    scan:
+      name: Daily Vulnerability Scan
+      runs-on: ubuntu-latest
+      container:
+        image: catthehacker/ubuntu:act-latest
  
-    steps:
-      - name: Pull docker image
-        run: docker pull docker.asperti.com/${{ github.repository_owner }}/smtp-relay:latest
+      steps:
+        - name: Pull docker image
+          run: docker pull docker.asperti.com/paspo/smtp-relay:latest
  
-      - name: Run Trivy vulnerability scanner
-        id: scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "docker.asperti.com/${{ github.repository_owner }}/smtp-relay:latest"
-          format: "json"
-          output: "trivy-results.json"
+        - uses: actions/cache/restore@v4
+          with:
+            path: |
+              /root/.cache/trivy
+            key: trivy-db
  
-      # if some vulnerability is found, we fail
-      - name: check output
-        id: vulncount
-        run: |
-          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
-          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+        - name: Setup trivy
+          run: |
+            wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
+            dpkg -i /tmp/trivy.deb
+  
+        - name: Run Trivy vulnerability scanner
+          id: scan
+          run: |
+            trivy image --format json docker.asperti.com/paspo/smtp-relay:latest > trivy-results.json
+  
+        - uses: actions/cache/save@v4
+          if: always()  # salva in cache anche se trova vulnerabilità
+          with:
+            path: |
+              /root/.cache/trivy
+            key: trivy-db
+  
+        # if some vulnerability is found, we fail
+        - name: check output
+          id: vulncount
+          run: |
+            echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+            if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+  
+        - name: send telegram notification
+          if: failure()
+          uses: appleboy/telegram-action@master
+          with:
+            to: ${{ secrets.TELEGRAM_TO }}
+            token: ${{ secrets.TELEGRAM_TOKEN }}
+            format: markdown
+            message: |
+              Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
  
-      - name: send telegram notification
-        if: failure()
-        uses: appleboy/telegram-action@master
-        with:
-          to: ${{ secrets.TELEGRAM_TO }}
-          token: ${{ secrets.TELEGRAM_TOKEN }}
-          format: markdown
-          message: |
-            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`