From 6fbcb5da81ae398827e4f82222fff75cf2b10068 Mon Sep 17 00:00:00 2001 From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com> Date: Wed, 6 Nov 2024 16:34:00 +0100 Subject: [PATCH 1/5] BC-8372 - trivy use cache for DBs --- .github/workflows/push.yml | 8 ++++++++ .github/workflows/trivy.yml | 39 +++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 1d601a6f96..711aef12ec 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -146,6 +146,11 @@ jobs: contents: read security-events: write steps: + - name: Restore cached trivy DBs + uses: actions/cache/restore@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} - name: run trivy vulnerability scanner uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: @@ -154,6 +159,9 @@ jobs: output: "trivy-results.sarif" severity: "CRITICAL,HIGH" ignore-unfixed: true + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: upload trivy results if: ${{ always() }} uses: github/codeql-action/upload-sarif@v3 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..9ba6d25b26 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,39 @@ +# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} From d10adc348f2474816a1d5f9a332ec598d00c8de3 Mon Sep 17 00:00:00 2001 From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com> Date: Wed, 6 Nov 2024 17:07:08 +0100 Subject: [PATCH 2/5] BC-8372 - fix trivy cache name --- .github/workflows/push.yml | 2 +- .github/workflows/trivy.yml | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 711aef12ec..f148ae0ba3 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -150,7 +150,7 @@ jobs: uses: actions/cache/restore@v4 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} + key: cache-trivy - name: run trivy vulnerability scanner uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9ba6d25b26..214c7fa078 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -14,10 +14,6 @@ jobs: - name: Setup oras uses: oras-project/setup-oras@v1 - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - name: Download and extract the vulnerability DB run: | mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db @@ -36,4 +32,4 @@ jobs: uses: actions/cache/save@v4 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} + key: cache-trivy From 067583b0d62d5581821d568a1551a1b4b858377e Mon Sep 17 00:00:00 2001 From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com> Date: Thu, 7 Nov 2024 09:21:35 +0100 Subject: [PATCH 3/5] BC-8372 - fix cache nameing --- .github/workflows/push.yml | 5 ++++- .github/workflows/trivy.yml | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index f148ae0ba3..0972441277 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -146,11 +146,14 @@ jobs: contents: read security-events: write steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - name: Restore cached trivy DBs uses: actions/cache/restore@v4 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy + key: cache-trivy-${{ steps.date.outputs.date }} - name: run trivy vulnerability scanner uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 214c7fa078..9ba6d25b26 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -14,6 +14,10 @@ jobs: - name: Setup oras uses: oras-project/setup-oras@v1 + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + - name: Download and extract the vulnerability DB run: | mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db @@ -32,4 +36,4 @@ jobs: uses: actions/cache/save@v4 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy + key: cache-trivy-${{ steps.date.outputs.date }} From 50ac4c04ca90a4e83739b8b19ede63b23e3dee4e Mon Sep 17 00:00:00 2001 From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:04:21 +0100 Subject: [PATCH 4/5] BC-8372 - update trivy version --- .github/workflows/push.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 0972441277..06cbc3e84e 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -146,16 +146,8 @@ jobs: contents: read security-events: write steps: - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - name: Restore cached trivy DBs - uses: actions/cache/restore@v4 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} - name: run trivy vulnerability scanner - uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: "ghcr.io/${{ github.repository }}-default:${{ needs.branch_meta.outputs.sha }}" format: "sarif" From d4214c50b774b95244c510c4041e871bf901f149 Mon Sep 17 00:00:00 2001 From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:08:29 +0100 Subject: [PATCH 5/5] BC-8372 - set scan type for trevy --- .github/workflows/push.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 06cbc3e84e..43a30df4f1 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -154,6 +154,7 @@ jobs: output: "trivy-results.sarif" severity: "CRITICAL,HIGH" ignore-unfixed: true + scan-type: 'image' env: TRIVY_SKIP_DB_UPDATE: true TRIVY_SKIP_JAVA_DB_UPDATE: true