switched from drone to gitea actions
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Container Publish / build-image (arm64) (push) Successful in 32s
Container Publish / build-image (amd64) (push) Successful in 51s
Container Publish / update docker manifest (push) Successful in 11s
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest) (push) Successful in 5s
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest) (push) Successful in 17s
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest-php74) (push) Successful in 5s
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest-php74) (push) Successful in 18s
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Container Publish / build-image (arm64) (push) Successful in 32s
Container Publish / build-image (amd64) (push) Successful in 51s
Container Publish / update docker manifest (push) Successful in 11s
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest) (push) Successful in 5s
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest) (push) Successful in 17s
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest-php74) (push) Successful in 5s
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest-php74) (push) Successful in 18s
This commit is contained in:
@@ -1,44 +1,51 @@
|
||||
---
|
||||
name: Vulnerability Scan
|
||||
|
||||
env:
|
||||
REGISTRY: docker.asperti.com
|
||||
REPOSITORY: paspo/webserver-nginx
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 14 * * *"
|
||||
workflow_dispatch:
|
||||
workflow_call:
|
||||
workflow_run:
|
||||
workflows: [build_and_publish.yaml]
|
||||
types: [completed]
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Daily Vulnerability Scan
|
||||
runs-on: ubuntu-latest
|
||||
runs-on:
|
||||
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
|
||||
container:
|
||||
image: catthehacker/ubuntu:act-latest
|
||||
strategy:
|
||||
matrix:
|
||||
arch: [amd64, arm64]
|
||||
tag: [latest, latest-php74]
|
||||
|
||||
steps:
|
||||
- name: Pull docker image
|
||||
run: docker pull docker.asperti.com/paspo/webserver-nginx:latest
|
||||
|
||||
- uses: actions/cache/restore@v4
|
||||
with:
|
||||
path: |
|
||||
/root/.cache/trivy
|
||||
key: trivy-db
|
||||
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}
|
||||
|
||||
- name: Setup trivy
|
||||
run: |
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
|
||||
echo "Installing Trivy for arch: $(uname -m)"
|
||||
case $(uname -m) in
|
||||
x86_64)
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
|
||||
aarch64)
|
||||
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
|
||||
*) exit 1 ;;
|
||||
esac
|
||||
dpkg -i /tmp/trivy.deb
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
id: scan
|
||||
run: |
|
||||
trivy image --format json docker.asperti.com/paspo/webserver-nginx:latest > trivy-results.json
|
||||
|
||||
- uses: actions/cache/save@v4
|
||||
if: always() # salva in cache anche se trova vulnerabilità
|
||||
with:
|
||||
path: |
|
||||
/root/.cache/trivy
|
||||
key: trivy-db
|
||||
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} > trivy-results.json
|
||||
|
||||
# if some vulnerability is found, we fail
|
||||
- name: check output
|
||||
|
||||
Reference in New Issue
Block a user