From 01a54da4250ebeb578cbd14c299f7b55a9db819e Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Tue, 29 Oct 2024 19:27:17 +0300 Subject: [PATCH] fix trivy scan and enable caching of vulnerability DB --- .github/workflows/trivy-security-scan.yml | 62 ++++++++++++++++++++--- 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/.github/workflows/trivy-security-scan.yml b/.github/workflows/trivy-security-scan.yml index daff378bd32..832fff5846f 100644 --- a/.github/workflows/trivy-security-scan.yml +++ b/.github/workflows/trivy-security-scan.yml @@ -1,15 +1,40 @@ ## -# This action runs trivy container and repository vulnerability -# scanner for docker images and cargo packages. +# This action runs Trivy container and repository vulnerability +# scanner for Docker images and filesystems. ## name: trivy-security-scan on: repository_dispatch: - types: [ trivy-scan-dispatch ] + types: [trivy-scan-dispatch] + schedule: + - cron: '0 0 * * *' # Runs daily at midnight UTC jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Cache DBs + uses: actions/cache@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + wait-for-image: runs-on: ubuntu-latest outputs: @@ -48,38 +73,61 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Restore Trivy DB cache + uses: actions/cache@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Run Trivy vulnerability scanner on image - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # @v0.19.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: ${{ github.event.client_payload.image }} + cache: 'true' format: "sarif" output: "trivy-results.sarif" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1 + uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 with: sarif_file: "trivy-results.sarif" trivy_scan_repo: + needs: update-trivy-db runs-on: ubuntu-latest + steps: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Restore Trivy DB cache + uses: actions/cache@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # @v0.19.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: scan-type: fs + cache-dir: ${{ github.workspace }}/.cache/trivy + cache: 'true' ignore-unfixed: true format: sarif output: trivy-results.sarif severity: CRITICAL + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: - sarif_file: trivy-results.sarif + sarif_file: "trivy-results.sarif"