add telegram_bot

.gitea/workflows/trivy_image_scan.yml

@@ -1,5 +1,5 @@
 name: trivy-scan-image
-run-name: Trivy - Scan Docker Image
+run-name: Trivy - Scan Docker Image ${{ env.image_tag }}
 
 on:
   workflow_dispatch: # Manuelles Auslösen des Workflows
@@ -22,13 +22,74 @@ jobs:
     runs-on: ubuntu-latest
     container: aquasec/trivy:latest
     steps:
-      - name: Scan image with trivy
+      - name: Scan linux/amd64-image
         run: |
           trivy image \
           --username ${{ env.user }} \
           --password ${{ secrets.DOCKER_PULL_TOKEN }} \
           --exit-code 1 \
           --scanners vuln,misconfig,secret \
-          --severity MEDIUM,HIGH,CRITICAL \
+          --severity HIGH,CRITICAL \
           --ignore-unfixed \
+          --platform linux/amd64 \
           ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+      - name: Scan linux/386-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/386 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+      - name: Scan linux/arm64-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/arm64 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+      - name: Scan linux/arm/v7-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/arm/v7 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+
+  telegram-notify:
+    needs: trivy_image_scan
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+    - name: Telegram Alert
+      run: |
+        case "${{ needs.trivy_image_scan.result }}" in
+            "success")  EMOJI="✅"; MSG="OK" ;;
+            "failure")  EMOJI="❌"; MSG="WARN!" ;;
+            "cancelled") EMOJI="⏹️"; MSG="Canceled" ;;
+            *) EMOJI="❓"; MSG="Unknown-State: ${{ needs.trivy_image_scan.result }}" ;;
+        esac
+        
+        curl -s -X POST "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
+        -H 'Content-Type: application/json' \
+        -d "{
+        \"chat_id\": \"${{ secrets.TELEGRAM_CHAT_ID }}\",
+        \"parse_mode\": \"HTML\",
+        \"text\": 
+        \"$EMOJI <b>$MSG - Scan ${{ env.image_name_gitea }}:${{ env.image_tag }}</b>
+        <i>$(date +"%Y-%m-%d  %T")</i>
+        Trivy-Image-Scan of: <b><i>${{ env.image_name_gitea }}:${{ env.image_tag }}</i></b>
+        ${{ gitea.server_url }}/${{ gitea.repository }}
+        \"
+        }"

Dockerfile

@@ -9,10 +9,10 @@ ENV PYTHONUNBUFFERED=1
 ENV HTTP_METHOD=POST
 
 RUN apt-get update && \
+    apt-get upgrade -y &&\
     if [ "$TARGETPLATFORM" = "linux/arm/v7" ] || [ "$TARGETPLATFORM" = "linux/386" ]; then \
         apt-get install -y --no-install-recommends zlib1g-dev libjpeg-dev gcc; \
     fi && \
-    apt-get upgrade -y &&\
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*