paspo/docker-webserver-nginx
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases Activity
Files
d4a3894a93f5516154c11d00b42200d7707aa8b1
docker-webserver-nginx/.gitea/workflows/vulnscan.yaml
paspo 6b9c9d86e6
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Details
Container Publish / build-image (arm64) (push) Successful in 32s
Details
Container Publish / build-image (amd64) (push) Successful in 51s
Details
Container Publish / update docker manifest (push) Successful in 11s
Details
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest) (push) Successful in 5s
Details
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest) (push) Successful in 17s
Details
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest-php74) (push) Successful in 5s
Details
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest-php74) (push) Successful in 18s
Details
switched from drone to gitea actions
2025-06-15 13:41:14 +02:00

66 lines
2.1 KiB
YAML
Raw Blame History

---
name: Vulnerability Scan
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/webserver-nginx
on:
schedule:
- cron: "0 14 * * *"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [build_and_publish.yaml]
types: [completed]
jobs:
scan:
name: Daily Vulnerability Scan
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
tag: [latest, latest-php74]
steps:
- name: Pull docker image
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}
- name: Setup trivy
run: |
echo "Installing Trivy for arch: $(uname -m)"
case $(uname -m) in
x86_64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
aarch64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
*) exit 1 ;;
esac
dpkg -i /tmp/trivy.deb
- name: Run Trivy vulnerability scanner
id: scan
run: |
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} > trivy-results.json
# if some vulnerability is found, we fail
- name: check output
id: vulncount
run: |
echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
- name: send telegram notification
if: failure()
uses: appleboy/telegram-action@master
with:
to: ${{ secrets.TELEGRAM_TO }}
token: ${{ secrets.TELEGRAM_TOKEN }}
format: markdown
message: |
Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
Reference in New Issue View Git Blame Copy Permalink