name: trivy-scan-image
run-name: Trivy - Scan Docker Image
on:
workflow_dispatch: # Manuelles Auslösen des Workflows
inputs:
image_tag:
description: 'Tag für das zu scannende Docker-Image z.B. latest'
required: true
default: 'latest'
schedule:
- cron: '45 1 * * 5'
env:
image_name: mysteryhelfer
image_tag: ${{ github.event.inputs.image_tag || 'latest' }}
registry_gitea: gitea.tebarius.duckdns.org
user: tebarius
jobs:
trivy_image_scan:
runs-on: ubuntu-latest
container: aquasec/trivy:latest
steps:
- name: Scan linux/amd64-image
run: |
trivy image \
--exit-code 1 \
--scanners vuln,misconfig,secret \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--platform linux/amd64 \
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
- name: Scan linux/arm64-image
run: |
trivy image \
--exit-code 1 \
--scanners vuln,misconfig,secret \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--platform linux/arm64 \
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
telegram-notify:
needs: trivy_image_scan
if: always()
runs-on: ubuntu-latest
steps:
- name: Telegram Alert
run: |
case "${{ needs.trivy_image_scan.result }}" in
"success") EMOJI="✅"; MSG="OK" ;;
"failure") EMOJI="❌"; MSG="WARN!" ;;
"cancelled") EMOJI="⏹️"; MSG="Canceled" ;;
*) EMOJI="❓"; MSG="Unknown-State: ${{ needs.trivy_image_scan.result }}" ;;
esac
curl -s -X POST "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
-H 'Content-Type: application/json' \
-d "{
\"chat_id\": \"${{ secrets.TELEGRAM_CHAT_ID }}\",
\"parse_mode\": \"HTML\",
\"text\":
\"$EMOJI $MSG - Scan ${{ env.image_name }}:${{ env.image_tag }}
$(date +"%Y-%m-%d %T")
Trivy-Image-Scan of: ${{ env.image_name }}:${{ env.image_tag }}
${{ gitea.server_url }}/${{ gitea.repository }}
\"
}"