From 6b70d8bf3f257e47cd1a8e7600b7c65a4a5f5f5c Mon Sep 17 00:00:00 2001 From: "Federico M. Facca" Date: Tue, 12 Nov 2024 18:10:30 +0100 Subject: [PATCH 1/4] update trivy configuration to native cache support --- .github/workflows/docker.yaml | 16 ---------------- .github/workflows/golang.yaml | 20 ++------------------ 2 files changed, 2 insertions(+), 34 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 02a7f33..bebbe08 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -144,16 +144,6 @@ jobs: id: extract_tag run: echo "::set-output name=tag::$(echo "${{ needs.build.outputs.tags }}" | head -n1)" ## To avoid the trivy-db becoming outdated, we save the cache for one day - - name: Get data - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - name: Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -163,12 +153,6 @@ jobs: scanners: "vuln,secret,misconfig" exit-code: '1' severity: MEDIUM,HIGH,CRITICAL - cache-dir: "./cache" env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - ## Trivy-db uses `0600` permissions. - ## But `action/cache` use `runner` user by default - ## So we need to change the permissions before caching the database. - - name: change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db diff --git a/.github/workflows/golang.yaml b/.github/workflows/golang.yaml index 36f015a..81c8621 100644 --- a/.github/workflows/golang.yaml +++ b/.github/workflows/golang.yaml @@ -246,17 +246,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - ## To avoid the trivy-db becoming outdated, we save the cache for one day - - name: Get data - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - name: Run Trivy vulnerability scanner (for summary) uses: aquasecurity/trivy-action@master with: @@ -266,7 +255,6 @@ jobs: scanners: "vuln,secret,misconfig" hide-progress: true output: trivy.txt - cache-dir: "./cache" - name: Publish Trivy Output to Summary run: | if [[ -s trivy.txt ]]; then @@ -288,9 +276,5 @@ jobs: scanners: "vuln,secret,misconfig" exit-code: '1' severity: MEDIUM,HIGH,CRITICAL - cache-dir: "./cache" - ## Trivy-db uses `0600` permissions. - ## But `action/cache` use `runner` user by default - ## So we need to change the permissions before caching the database. - - name: change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db + # On a subsequent call to the action we know trivy is already installed so can skip this + skip-setup-trivy: true From ddab486894974e696c704f1f1f6e98d19ba518b6 Mon Sep 17 00:00:00 2001 From: "Federico M. Facca" Date: Tue, 12 Nov 2024 18:13:34 +0100 Subject: [PATCH 2/4] Create trivy-cache-update.yaml --- .github/workflows/trivy-cache-update.yaml | 37 +++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/trivy-cache-update.yaml diff --git a/.github/workflows/trivy-cache-update.yaml b/.github/workflows/trivy-cache-update.yaml new file mode 100644 index 0000000..b2b23ab --- /dev/null +++ b/.github/workflows/trivy-cache-update.yaml @@ -0,0 +1,37 @@ +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} From 7f4e139c6f8e08a732de642d2ecc5641d0baa4ee Mon Sep 17 00:00:00 2001 From: License Bot Date: Tue, 12 Nov 2024 17:43:46 +0000 Subject: [PATCH 3/4] Automatic application of license header --- .github/workflows/trivy-cache-update.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/trivy-cache-update.yaml b/.github/workflows/trivy-cache-update.yaml index b2b23ab..0da0550 100644 --- a/.github/workflows/trivy-cache-update.yaml +++ b/.github/workflows/trivy-cache-update.yaml @@ -1,3 +1,17 @@ +# Copyright 2024 Zaphiro Technologies +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: Update Trivy Cache on: From f1892149b313ecb590124d3e74330150153d95dd Mon Sep 17 00:00:00 2001 From: "Federico M. Facca" Date: Tue, 12 Nov 2024 18:44:16 +0100 Subject: [PATCH 4/4] Update docker.yaml --- .github/workflows/docker.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index bebbe08..2a19dca 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -143,13 +143,11 @@ jobs: - name: Extract first tag id: extract_tag run: echo "::set-output name=tag::$(echo "${{ needs.build.outputs.tags }}" | head -n1)" - ## To avoid the trivy-db becoming outdated, we save the cache for one day - name: Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: image image-ref: ${{ steps.extract_tag.outputs.tag }} - trivy-config: scanners: "vuln,secret,misconfig" exit-code: '1' severity: MEDIUM,HIGH,CRITICAL