diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index dd0ce2b..f585fd5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -54,6 +54,9 @@ jobs: format: 'table' ignore-unfixed: true vuln-type: 'os,library' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Trivy - Stop on Severe Vulnerabilities uses: aquasecurity/trivy-action@master if: github.event_name == 'pull_request' @@ -65,6 +68,9 @@ jobs: exit-code: '1' vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Docker meta id: meta uses: docker/metadata-action@v4 diff --git a/.github/workflows/cache-trivy.yaml b/.github/workflows/cache-trivy.yaml new file mode 100644 index 0000000..792dded --- /dev/null +++ b/.github/workflows/cache-trivy.yaml @@ -0,0 +1,31 @@ +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + - name: Download and extract the Trivy vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + - name: Download and extract the Trivy Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + - name: Cache Trivy DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file