diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 0726c2cf..207bff8a 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -111,7 +111,7 @@ jobs: uses: actions/checkout@v4 - name: run trivy vulnerability scanner - uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' format: 'sarif' @@ -119,6 +119,10 @@ jobs: severity: 'CRITICAL,HIGH' exit-code: 1 ignore-unfixed: true + scan-type: 'image' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: upload trivy results if: ${{ always() }} uses: github/codeql-action/upload-sarif@v3 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..9ba6d25b --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,39 @@ +# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }}