96 lines
3.3 KiB
YAML
96 lines
3.3 KiB
YAML
name: trivy-scan-image
|
|
run-name: Trivy - Scan Docker Image
|
|
|
|
on:
|
|
workflow_dispatch: # Manuelles Auslösen des Workflows
|
|
inputs:
|
|
image_tag:
|
|
description: 'Tag für das zu scannende Docker-Image z.B. latest'
|
|
required: true
|
|
default: 'latest'
|
|
schedule:
|
|
- cron: '15 2 * * 5'
|
|
|
|
env:
|
|
image_name: doc_rudi
|
|
image_tag: ${{ github.event.inputs.image_tag || 'latest' }}
|
|
registry_gitea: gitea.tebarius.duckdns.org
|
|
user: tebarius
|
|
|
|
jobs:
|
|
trivy_image_scan:
|
|
runs-on: ubuntu-latest
|
|
container: aquasec/trivy:latest
|
|
steps:
|
|
- name: Scan linux/amd64-image
|
|
run: |
|
|
trivy image \
|
|
--username ${{ env.user }} \
|
|
--password ${{ secrets.DOCKER_PULL_TOKEN }} \
|
|
--exit-code 1 \
|
|
--scanners vuln,misconfig,secret \
|
|
--severity HIGH,CRITICAL \
|
|
--ignore-unfixed \
|
|
--platform linux/amd64 \
|
|
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
|
|
- name: Scan linux/386-image
|
|
run: |
|
|
trivy image \
|
|
--username ${{ env.user }} \
|
|
--password ${{ secrets.DOCKER_PULL_TOKEN }} \
|
|
--exit-code 1 \
|
|
--scanners vuln,misconfig,secret \
|
|
--severity HIGH,CRITICAL \
|
|
--ignore-unfixed \
|
|
--platform linux/386 \
|
|
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
|
|
- name: Scan linux/arm64-image
|
|
run: |
|
|
trivy image \
|
|
--username ${{ env.user }} \
|
|
--password ${{ secrets.DOCKER_PULL_TOKEN }} \
|
|
--exit-code 1 \
|
|
--scanners vuln,misconfig,secret \
|
|
--severity HIGH,CRITICAL \
|
|
--ignore-unfixed \
|
|
--platform linux/arm64 \
|
|
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
|
|
- name: Scan linux/arm/v7-image
|
|
run: |
|
|
trivy image \
|
|
--username ${{ env.user }} \
|
|
--password ${{ secrets.DOCKER_PULL_TOKEN }} \
|
|
--exit-code 1 \
|
|
--scanners vuln,misconfig,secret \
|
|
--severity HIGH,CRITICAL \
|
|
--ignore-unfixed \
|
|
--platform linux/arm/v7 \
|
|
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
|
|
|
|
telegram-notify:
|
|
needs: trivy_image_scan
|
|
if: always()
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Telegram Alert
|
|
run: |
|
|
case "${{ needs.trivy_image_scan.result }}" in
|
|
"success") EMOJI="✅"; MSG="OK" ;;
|
|
"failure") EMOJI="❌"; MSG="WARN!" ;;
|
|
"cancelled") EMOJI="⏹️"; MSG="Canceled" ;;
|
|
*) EMOJI="❓"; MSG="Unknown-State: ${{ needs.trivy_image_scan.result }}" ;;
|
|
esac
|
|
|
|
curl -s -X POST "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
|
|
-H 'Content-Type: application/json' \
|
|
-d "{
|
|
\"chat_id\": \"${{ secrets.TELEGRAM_CHAT_ID }}\",
|
|
\"parse_mode\": \"HTML\",
|
|
\"text\":
|
|
\"$EMOJI <b>$MSG - Scan ${{ env.image_name }}:${{ env.image_tag }}</b>
|
|
<i>$(date +"%Y-%m-%d %T")</i>
|
|
Trivy-Image-Scan of: <b><i>${{ env.image_name }}:${{ env.image_tag }}</i></b>
|
|
${{ gitea.server_url }}/${{ gitea.repository }}
|
|
\"
|
|
}"
|