Add Telegram alerts, setup script, and cron registration

- setup.sh: run once after cloning to configure credentials and register cron jobs - config.sh gitignored so credentials never enter the repo - Both scripts notify Telegram on issues/warnings, including hostname - Cron runs npm-security-check at 08:00 and check-nextjs-rce at 08:05 daily
2026-04-17 22:11:58 +01:00
parent 130f4f4a34
commit 5d7ac62617
4 changed files with 113 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+config.sh
+*.log
--- a/check-nextjs-rce.sh
+++ b/check-nextjs-rce.sh
@@ -2,6 +2,18 @@
 # Next.js CVE-2025-66478 / CVE-2025-55182 Vulnerability Checker
 # Checks if Next.js installations are vulnerable to critical RCE

+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/config.sh"
+
+send_telegram() {
+    curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+        -d chat_id="${TELEGRAM_CHAT_ID}" \
+        -d text="$1" \
+        -d parse_mode="HTML" > /dev/null || true
+}
+
+HOSTNAME=$(hostname)
+
 echo "=== Next.js RCE Vulnerability Scanner ==="
 echo "CVE-2025-66478 / CVE-2025-55182 (CVSS 10.0)"
 echo ""
@@ -116,6 +128,11 @@ if [ $VULNERABLE -gt 0 ]; then
    echo "  npm install next@latest"
    echo "  # or"
    echo "  yarn upgrade next@15.5.7"
+    send_telegram "🚨 <b>Vulnerable Next.js Found — CVE-2025-66478</b>
+Host: <code>${HOSTNAME}</code>
+Vulnerable installations: ${VULNERABLE}
+Update to Next.js 15.5.7+ or 16.0.7+
+Run manually: bash check-nextjs-rce.sh"
    exit 1
 else
    echo -e "${GREEN}✓ All Next.js installations are safe${NC}"
--- a/npm-security-check.sh
+++ b/npm-security-check.sh
@@ -4,6 +4,17 @@

 set -euo pipefail

+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=config.sh
+source "$SCRIPT_DIR/config.sh"
+
+send_telegram() {
+    curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+        -d chat_id="${TELEGRAM_CHAT_ID}" \
+        -d text="$1" \
+        -d parse_mode="HTML" > /dev/null || true
+}
+
 HOSTNAME=$(hostname)
 DATE=$(date)
 LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}"
@@ -257,9 +268,17 @@ log "Results saved to : $LOGFILE"
 log ""
 if [[ $ISSUES -gt 0 ]]; then
    log "$(printf "${RED}✗ %d issue(s) found — review output above${RESET}" "$ISSUES")"
+    send_telegram "🚨 <b>Security Alert — npm-security-check</b>
+Host: <code>${HOSTNAME}</code>
+Issues: ${ISSUES} | Warnings: ${WARNINGS}
+Run manually to review: bash npm-security-check.sh"
    exit 1
 elif [[ $WARNINGS -gt 0 ]]; then
    log "$(printf "${YELLOW}⚠ Clean but %d warning(s) — review output above${RESET}" "$WARNINGS")"
+    send_telegram "⚠️ <b>Security Warning — npm-security-check</b>
+Host: <code>${HOSTNAME}</code>
+Warnings: ${WARNINGS} (no critical issues)
+Run manually to review: bash npm-security-check.sh"
    exit 0
 else
    log "$(printf "${GREEN}✓ All checks passed — no indicators of compromise${RESET}")"
--- a/setup.sh
+++ b/setup.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# setup.sh
+# Run once after cloning on any VM where you want security scanning active.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+echo "=== Security Tools Setup ==="
+echo ""
+
+# ── Telegram credentials ───────────────────────────────────────────────────────
+if [[ -f "$SCRIPT_DIR/config.sh" ]]; then
+    echo "config.sh already exists — skipping credential setup."
+else
+    echo "Enter your Telegram bot token:"
+    read -r BOT_TOKEN
+    echo "Enter your Telegram chat ID:"
+    read -r CHAT_ID
+
+    cat > "$SCRIPT_DIR/config.sh" <<EOF
+#!/usr/bin/env bash
+# Telegram notification config
+TELEGRAM_BOT_TOKEN="${BOT_TOKEN}"
+TELEGRAM_CHAT_ID="${CHAT_ID}"
+EOF
+    chmod 600 "$SCRIPT_DIR/config.sh"
+    echo "config.sh created."
+fi
+
+# ── Make scripts executable ────────────────────────────────────────────────────
+chmod +x "$SCRIPT_DIR/npm-security-check.sh"
+chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
+
+# ── Cron jobs ──────────────────────────────────────────────────────────────────
+CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/npm-security-check-cron.log 2>&1"
+CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/check-nextjs-rce-cron.log 2>&1"
+
+EXISTING=$(crontab -l 2>/dev/null || true)
+
+if echo "$EXISTING" | grep -qF "npm-security-check.sh"; then
+    echo "Cron job for npm-security-check.sh already registered — skipping."
+else
+    (echo "$EXISTING"; echo "$CRON_1") | crontab -
+    echo "Cron job registered: npm-security-check.sh daily at 08:00."
+fi
+
+if echo "$EXISTING" | grep -qF "check-nextjs-rce.sh"; then
+    echo "Cron job for check-nextjs-rce.sh already registered — skipping."
+else
+    (crontab -l 2>/dev/null; echo "$CRON_2") | crontab -
+    echo "Cron job registered: check-nextjs-rce.sh daily at 08:05."
+fi
+
+# ── Test Telegram ──────────────────────────────────────────────────────────────
+source "$SCRIPT_DIR/config.sh"
+HOSTNAME=$(hostname)
+
+echo ""
+echo "Sending test Telegram message..."
+RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+    -d chat_id="${TELEGRAM_CHAT_ID}" \
+    -d text="✅ <b>Security Tools Active</b>
+Host: <code>${HOSTNAME}</code>
+Scripts registered and running daily at 08:00." \
+    -d parse_mode="HTML")
+
+if echo "$RESPONSE" | grep -q '"ok":true'; then
+    echo "Test message sent to Telegram."
+else
+    echo "Warning: Telegram message failed. Check your token and chat ID in config.sh."
+fi
+
+echo ""
+echo "Setup complete. Security scans will run daily at 08:00 on ${HOSTNAME}."