From 4e702a09a95c1a1ac1842626f2448a12858f46e8 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Thu, 10 Oct 2024 20:56:13 +0200 Subject: [PATCH] chore: Setup Trivy cache (#1377) --- .github/workflows/ai.yaml | 3 ++ .github/workflows/test.yaml | 6 ++++ .github/workflows/trivy-artifact-scan.yaml | 3 ++ .github/workflows/trivy-cache.yaml | 34 ++++++++++++++++++++++ .github/workflows/www.yaml | 6 ++++ 5 files changed, 52 insertions(+) create mode 100644 .github/workflows/trivy-cache.yaml diff --git a/.github/workflows/ai.yaml b/.github/workflows/ai.yaml index a077096c1..5436a12ea 100644 --- a/.github/workflows/ai.yaml +++ b/.github/workflows/ai.yaml @@ -69,6 +69,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index fbe87a7e8..d2aaadd57 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -94,6 +94,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: @@ -119,6 +122,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/.github/workflows/trivy-artifact-scan.yaml b/.github/workflows/trivy-artifact-scan.yaml index 916204627..49f490c00 100644 --- a/.github/workflows/trivy-artifact-scan.yaml +++ b/.github/workflows/trivy-artifact-scan.yaml @@ -35,6 +35,9 @@ jobs: security-checks: 'vuln,secret,config' ignore-unfixed: true #severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/.github/workflows/trivy-cache.yaml b/.github/workflows/trivy-cache.yaml new file mode 100644 index 000000000..a4e4aef64 --- /dev/null +++ b/.github/workflows/trivy-cache.yaml @@ -0,0 +1,34 @@ +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file diff --git a/.github/workflows/www.yaml b/.github/workflows/www.yaml index f47b0aafc..2c6106b70 100644 --- a/.github/workflows/www.yaml +++ b/.github/workflows/www.yaml @@ -63,6 +63,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: @@ -88,6 +91,9 @@ jobs: security-checks: 'vuln,secret' ignore-unfixed: true #severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: