diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index 1c36a34..e5d006d 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,59 +1,52 @@ --- - name: Vulnerability Scan - - on: - schedule: - - cron: "0 14 * * *" - workflow_dispatch: - - jobs: - scan: - name: Daily Vulnerability Scan - runs-on: ubuntu-latest - container: - image: catthehacker/ubuntu:act-latest - - steps: - - name: Pull docker image - run: docker pull docker.asperti.com/paspo/smtp-relay:latest - - - uses: actions/cache/restore@v4 - with: - path: | - /root/.cache/trivy - key: trivy-db - - - name: Setup trivy - run: | - wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb - dpkg -i /tmp/trivy.deb - - - name: Run Trivy vulnerability scanner - id: scan - run: | - trivy image --format json docker.asperti.com/paspo/smtp-relay:latest > trivy-results.json - - - uses: actions/cache/save@v4 - if: always() # salva in cache anche se trova vulnerabilità - with: - path: | - /root/.cache/trivy - key: trivy-db - - # if some vulnerability is found, we fail - - name: check output - id: vulncount - run: | - echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} - if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi - - - name: send telegram notification - if: failure() - uses: appleboy/telegram-action@master - with: - to: ${{ secrets.TELEGRAM_TO }} - token: ${{ secrets.TELEGRAM_TOKEN }} - format: markdown - message: | - Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}` - \ No newline at end of file +name: Vulnerability Scan + +on: + schedule: + - cron: "0 14 * * *" + workflow_dispatch: + +jobs: + scan: + name: Daily Vulnerability Scan + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Pull docker image + run: docker pull docker.asperti.com/paspo/smtp-relay:latest + + - name: Setup trivy + run: | + echo "Installing Trivy for arch: $(uname -m)" + case $(uname -m) in + x86_64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;; + aarch64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;; + *) exit 1 ;; + esac + dpkg -i /tmp/trivy.deb + + - name: Run Trivy vulnerability scanner + id: scan + run: | + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/smtp-relay:latest > trivy-results.json + + # if some vulnerability is found, we fail + - name: check output + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`