Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix trivy scan and enable caching of vulnerability DB #3192

Merged
merged 5 commits into from
Oct 31, 2024
Merged

fix trivy scan and enable caching of vulnerability DB #3192

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cfc4977
fix trivy scan and enable caching of vulnerability DB
DaMandal0rian Oct 29, 2024
f6c9b0d
remove cron schedule
DaMandal0rian Oct 30, 2024
4a9e1f5
change workflow order to avoid race condition
DaMandal0rian Oct 30, 2024
84cb10d
create checks for cache before updating DB
DaMandal0rian Oct 30, 2024
d4fd9c1
combine different jobs into one
DaMandal0rian Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 54 additions & 8 deletions .github/workflows/trivy-security-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
##
# This action runs trivy container and repository vulnerability
# scanner for docker images and cargo packages.
# This action runs Trivy container and repository vulnerability
# scanner for Docker images and filesystem.
##

name: trivy-security-scan

on:
repository_dispatch:
types: [ trivy-scan-dispatch ]
types: [trivy-scan-dispatch]

jobs:
wait-for-image:
Expand Down Expand Up @@ -39,47 +39,93 @@ jobs:
echo "::set-output name=available::true"
shell: bash

trivy_scan_image:
update-trivy-db:
needs: wait-for-image
runs-on: ubuntu-latest
steps:
- name: Setup oras
uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21

- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$GITHUB_WORKSPACE is already the default, why using it explicitly?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just my preference for readability but I have changed it.

oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz

- name: Cache DBs
uses: actions/cache@v4
with:
path: ${{ github.workspace }}/.cache/trivy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is equivalent:

Suggested change
path: ${{ github.workspace }}/.cache/trivy
path: .cache/trivy

key: cache-trivy-${{ steps.date.outputs.date }}

trivy_scan_image:
needs: update-trivy-db
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will result in update happening every single time, essentially defeating the purpose of caching, in fact caching just does more work here for no reason.

What should be done instead is a separate workflow like described in https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch that updates cache periodically and then use it in this workflow.

Even better approach and something I'd do would be to only update the cache if it is missing and then if cache recovery (for current date) is successful, we'll skip downloading. I have implemented this logic for GTK4 building here, the only major difference here is that the cache key will include a date.

if: needs.wait-for-image.outputs.image-available == 'true'
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Restore Trivy DB cache
uses: actions/cache@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
teor2345 marked this conversation as resolved.
Show resolved Hide resolved

- name: Run Trivy vulnerability scanner on image
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # @v0.19.0
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: ${{ github.event.client_payload.image }}
cache: 'true'
format: "sarif"
output: "trivy-results.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1
uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1
with:
sarif_file: "trivy-results.sarif"

trivy_scan_repo:
needs: update-trivy-db
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Restore Trivy DB cache
uses: actions/cache@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # @v0.19.0
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
scan-type: fs
cache: 'true'
ignore-unfixed: true
format: sarif
output: trivy-results.sarif
severity: CRITICAL
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: trivy-results.sarif
sarif_file: "trivy-results.sarif"
Loading