paspo/docker-zabbix-proxy-mssql
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Releases Activity
Files
86b88ed77e787edcd4aa18be2d153bd7f6a07239
docker-zabbix-proxy-mssql/.gitea/workflows/vulnscan.yaml
paspo 86b88ed77e
Some checks are pending
Container Publish / on-success-skip (push) Has been skipped
Details
Container Publish / update docker manifest (amd64, mysql, 7.0) (push) Blocked by required conditions
Details
Container Publish / update docker manifest (amd64, sqlite3, 7.0) (push) Blocked by required conditions
Details
Container Publish / build-image (amd64, mysql, 7.0) (push) Successful in 1m4s
Details
Container Publish / build-image (amd64, sqlite3, 7.0) (push) Successful in 2m8s
Details
removed vulnscan
2025-09-30 00:28:04 +02:00

65 lines
2.2 KiB
YAML
Raw Blame History

---
name: Vulnerability Scan
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/zabbix-proxy
on:
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [build_and_publish.yaml]
types: [completed]
jobs:
scan:
name: Daily Vulnerability Scan
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64]
flavour: [sqlite3, mysql]
ver: ["7.0"]
steps:
- name: Pull docker image
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}
- name: Setup trivy
run: |
echo "Installing Trivy for arch: $(uname -m)"
case $(uname -m) in
x86_64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
aarch64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
*) exit 1 ;;
esac
dpkg -i /tmp/trivy.deb
- name: Run Trivy vulnerability scanner
id: scan
run: |
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} > trivy-results.json
# if some vulnerability is found, we fail
- name: check output
id: vulncount
run: |
echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
- name: send telegram notification
if: failure()
uses: appleboy/telegram-action@master
with:
to: ${{ secrets.TELEGRAM_TO }}
token: ${{ secrets.TELEGRAM_TOKEN }}
format: markdown
message: |
Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}`
Reference in New Issue View Git Blame Copy Permalink