From 6d880215e4577b89757a8609113ddc5237859539 Mon Sep 17 00:00:00 2001 From: sam-trace <122341597+sam-trace@users.noreply.github.com> Date: Tue, 29 Oct 2024 22:14:45 +0530 Subject: [PATCH 1/3] add trivy cache --- trivy-fs-scan/action.yaml | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/trivy-fs-scan/action.yaml b/trivy-fs-scan/action.yaml index d8c13bf..4ff1ad7 100644 --- a/trivy-fs-scan/action.yaml +++ b/trivy-fs-scan/action.yaml @@ -72,6 +72,36 @@ runs: run: | touch .trivyignore + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + shell: sh + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + shell: sh + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + shell: sh + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -88,6 +118,9 @@ runs: skip-dirs: ${{ inputs.skip-dirs }} skip-files: ${{ inputs.skip-files }} exit-code: '1' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 @@ -100,4 +133,4 @@ runs: if: ${{ (success() || failure()) && inputs.output-mode == 'github' && inputs.category != '' }} with: sarif_file: ${{ steps.output.outputs.TRIVY_OUTPUT }} - category: ${{ inputs.category }} \ No newline at end of file + category: ${{ inputs.category }} From be1f401cc848a093a603b16496c5bca350becb45 Mon Sep 17 00:00:00 2001 From: sam-trace <122341597+sam-trace@users.noreply.github.com> Date: Tue, 29 Oct 2024 22:18:50 +0530 Subject: [PATCH 2/3] fix linter issues --- trivy-fs-scan/action.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/trivy-fs-scan/action.yaml b/trivy-fs-scan/action.yaml index 4ff1ad7..317f1a1 100644 --- a/trivy-fs-scan/action.yaml +++ b/trivy-fs-scan/action.yaml @@ -78,7 +78,8 @@ runs: - name: Get current date shell: sh id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + run: | + echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - name: Download and extract the vulnerability DB shell: sh @@ -119,8 +120,8 @@ runs: skip-files: ${{ inputs.skip-files }} exit-code: '1' env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + TRIVY_SKIP_DB_UPDATE: 'true' + TRIVY_SKIP_JAVA_DB_UPDATE: 'true' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From 5c1f799808568474c75125aea43c6993faae04bc Mon Sep 17 00:00:00 2001 From: sam-trace <122341597+sam-trace@users.noreply.github.com> Date: Tue, 29 Oct 2024 23:43:53 +0530 Subject: [PATCH 3/3] remove github cache --- trivy-fs-scan/action.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/trivy-fs-scan/action.yaml b/trivy-fs-scan/action.yaml index 317f1a1..097a8bb 100644 --- a/trivy-fs-scan/action.yaml +++ b/trivy-fs-scan/action.yaml @@ -97,11 +97,6 @@ runs: tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db rm javadb.tar.gz - - name: Cache DBs - uses: actions/cache/save@v4 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master