From abac3e6949642417d81894a5a885c971442aa6e2 Mon Sep 17 00:00:00 2001 From: paspo Date: Mon, 16 Dec 2024 20:44:50 +0100 Subject: [PATCH] add vulscan --- .gitea/workflows/vulnscan.yaml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .gitea/workflows/vulnscan.yaml diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml new file mode 100644 index 0000000..fdafe89 --- /dev/null +++ b/.gitea/workflows/vulnscan.yaml @@ -0,0 +1,58 @@ +--- +name: Vulnerability Scan + +on: + schedule: + - cron: "0 14 * * *" + workflow_dispatch: + +jobs: + scan: + name: Daily Vulnerability Scan + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Pull docker image + run: docker pull docker.asperti.com/paspo/webserver-nginx:latest + + - uses: actions/cache/restore@v4 + with: + path: | + /root/.cache/trivy + key: trivy-db + + - name: Setup trivy + run: | + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb + dpkg -i /tmp/trivy.deb + + - name: Run Trivy vulnerability scanner + id: scan + run: | + trivy image --format json docker.asperti.com/paspo/webserver-nginx:latest > trivy-results.json + + - uses: actions/cache/save@v4 + if: always() # salva in cache anche se trova vulnerabilità + with: + path: | + /root/.cache/trivy + key: trivy-db + + # if some vulnerability is found, we fail + - name: check output + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`