From 5d7ac62617e2aafd1afcd7a67dce82efc8704728 Mon Sep 17 00:00:00 2001
From: pdmarf <135653545+pdmarf@users.noreply.github.com>
Date: Fri, 17 Apr 2026 22:11:58 +0100
Subject: [PATCH] Add Telegram alerts, setup script, and cron registration
- setup.sh: run once after cloning to configure credentials and register cron jobs
- config.sh gitignored so credentials never enter the repo
- Both scripts notify Telegram on issues/warnings, including hostname
- Cron runs npm-security-check at 08:00 and check-nextjs-rce at 08:05 daily
---
.gitignore | 2 ++
check-nextjs-rce.sh | 17 ++++++++++
npm-security-check.sh | 19 +++++++++++
setup.sh | 75 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 113 insertions(+)
create mode 100644 .gitignore
create mode 100755 setup.sh
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..465ac6d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+config.sh
+*.log
diff --git a/check-nextjs-rce.sh b/check-nextjs-rce.sh
index 837f18a..4620e02 100755
--- a/check-nextjs-rce.sh
+++ b/check-nextjs-rce.sh
@@ -2,6 +2,18 @@
# Next.js CVE-2025-66478 / CVE-2025-55182 Vulnerability Checker
# Checks if Next.js installations are vulnerable to critical RCE
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/config.sh"
+
+send_telegram() {
+ curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+ -d chat_id="${TELEGRAM_CHAT_ID}" \
+ -d text="$1" \
+ -d parse_mode="HTML" > /dev/null || true
+}
+
+HOSTNAME=$(hostname)
+
echo "=== Next.js RCE Vulnerability Scanner ==="
echo "CVE-2025-66478 / CVE-2025-55182 (CVSS 10.0)"
echo ""
@@ -116,6 +128,11 @@ if [ $VULNERABLE -gt 0 ]; then
echo " npm install next@latest"
echo " # or"
echo " yarn upgrade next@15.5.7"
+ send_telegram "🚨 Vulnerable Next.js Found — CVE-2025-66478
+Host: ${HOSTNAME}
+Vulnerable installations: ${VULNERABLE}
+Update to Next.js 15.5.7+ or 16.0.7+
+Run manually: bash check-nextjs-rce.sh"
exit 1
else
echo -e "${GREEN}✓ All Next.js installations are safe${NC}"
diff --git a/npm-security-check.sh b/npm-security-check.sh
index faad061..f3b6e60 100755
--- a/npm-security-check.sh
+++ b/npm-security-check.sh
@@ -4,6 +4,17 @@
set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=config.sh
+source "$SCRIPT_DIR/config.sh"
+
+send_telegram() {
+ curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+ -d chat_id="${TELEGRAM_CHAT_ID}" \
+ -d text="$1" \
+ -d parse_mode="HTML" > /dev/null || true
+}
+
HOSTNAME=$(hostname)
DATE=$(date)
LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}"
@@ -257,9 +268,17 @@ log "Results saved to : $LOGFILE"
log ""
if [[ $ISSUES -gt 0 ]]; then
log "$(printf "${RED}✗ %d issue(s) found — review output above${RESET}" "$ISSUES")"
+ send_telegram "🚨 Security Alert — npm-security-check
+Host: ${HOSTNAME}
+Issues: ${ISSUES} | Warnings: ${WARNINGS}
+Run manually to review: bash npm-security-check.sh"
exit 1
elif [[ $WARNINGS -gt 0 ]]; then
log "$(printf "${YELLOW}⚠ Clean but %d warning(s) — review output above${RESET}" "$WARNINGS")"
+ send_telegram "⚠️ Security Warning — npm-security-check
+Host: ${HOSTNAME}
+Warnings: ${WARNINGS} (no critical issues)
+Run manually to review: bash npm-security-check.sh"
exit 0
else
log "$(printf "${GREEN}✓ All checks passed — no indicators of compromise${RESET}")"
diff --git a/setup.sh b/setup.sh
new file mode 100755
index 0000000..5cdfe42
--- /dev/null
+++ b/setup.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# setup.sh
+# Run once after cloning on any VM where you want security scanning active.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+echo "=== Security Tools Setup ==="
+echo ""
+
+# ── Telegram credentials ───────────────────────────────────────────────────────
+if [[ -f "$SCRIPT_DIR/config.sh" ]]; then
+ echo "config.sh already exists — skipping credential setup."
+else
+ echo "Enter your Telegram bot token:"
+ read -r BOT_TOKEN
+ echo "Enter your Telegram chat ID:"
+ read -r CHAT_ID
+
+ cat > "$SCRIPT_DIR/config.sh" </dev/null || true)
+
+if echo "$EXISTING" | grep -qF "npm-security-check.sh"; then
+ echo "Cron job for npm-security-check.sh already registered — skipping."
+else
+ (echo "$EXISTING"; echo "$CRON_1") | crontab -
+ echo "Cron job registered: npm-security-check.sh daily at 08:00."
+fi
+
+if echo "$EXISTING" | grep -qF "check-nextjs-rce.sh"; then
+ echo "Cron job for check-nextjs-rce.sh already registered — skipping."
+else
+ (crontab -l 2>/dev/null; echo "$CRON_2") | crontab -
+ echo "Cron job registered: check-nextjs-rce.sh daily at 08:05."
+fi
+
+# ── Test Telegram ──────────────────────────────────────────────────────────────
+source "$SCRIPT_DIR/config.sh"
+HOSTNAME=$(hostname)
+
+echo ""
+echo "Sending test Telegram message..."
+RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+ -d chat_id="${TELEGRAM_CHAT_ID}" \
+ -d text="✅ Security Tools Active
+Host: ${HOSTNAME}
+Scripts registered and running daily at 08:00." \
+ -d parse_mode="HTML")
+
+if echo "$RESPONSE" | grep -q '"ok":true'; then
+ echo "Test message sent to Telegram."
+else
+ echo "Warning: Telegram message failed. Check your token and chat ID in config.sh."
+fi
+
+echo ""
+echo "Setup complete. Security scans will run daily at 08:00 on ${HOSTNAME}."