--- name: Vulnerability Scan on: schedule: - cron: "0 14 * * *" workflow_dispatch: jobs: scan: name: Daily Vulnerability Scan runs-on: ubuntu-latest container: image: catthehacker/ubuntu:act-latest steps: - name: Pull docker image run: docker pull docker.asperti.com/paspo/webserver-nginx:latest - uses: actions/cache/restore@v4 with: path: | /root/.cache/trivy key: trivy-db - name: Setup trivy run: | wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb dpkg -i /tmp/trivy.deb - name: Run Trivy vulnerability scanner id: scan run: | trivy image --format json docker.asperti.com/paspo/webserver-nginx:latest > trivy-results.json - uses: actions/cache/save@v4 if: always() # salva in cache anche se trova vulnerabilità with: path: | /root/.cache/trivy key: trivy-db # if some vulnerability is found, we fail - name: check output id: vulncount run: | echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi - name: send telegram notification if: failure() uses: appleboy/telegram-action@master with: to: ${{ secrets.TELEGRAM_TO }} token: ${{ secrets.TELEGRAM_TOKEN }} format: markdown message: | Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`