Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

golang and docker workflows: Update trivy configuration to last github action version #140

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 0 additions & 18 deletions .github/workflows/docker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -143,32 +143,14 @@ jobs:
- name: Extract first tag
id: extract_tag
run: echo "::set-output name=tag::$(echo "${{ needs.build.outputs.tags }}" | head -n1)"
## To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ${{ steps.extract_tag.outputs.tag }}
trivy-config:
scanners: "vuln,secret,misconfig"
exit-code: '1'
severity: MEDIUM,HIGH,CRITICAL
cache-dir: "./cache"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
20 changes: 2 additions & 18 deletions .github/workflows/golang.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -246,17 +246,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
## To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Run Trivy vulnerability scanner (for summary)
uses: aquasecurity/trivy-action@master
with:
Expand All @@ -266,7 +255,6 @@ jobs:
scanners: "vuln,secret,misconfig"
hide-progress: true
output: trivy.txt
cache-dir: "./cache"
- name: Publish Trivy Output to Summary
run: |
if [[ -s trivy.txt ]]; then
Expand All @@ -288,9 +276,5 @@ jobs:
scanners: "vuln,secret,misconfig"
exit-code: '1'
severity: MEDIUM,HIGH,CRITICAL
cache-dir: "./cache"
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
51 changes: 51 additions & 0 deletions .github/workflows/trivy-cache-update.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Copyright 2024 Zaphiro Technologies
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Update Trivy Cache

on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
workflow_dispatch: # Allow manual triggering

jobs:
update-trivy-db:
runs-on: ubuntu-latest
steps:
- name: Setup oras
uses: oras-project/setup-oras@v1

- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz

- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz

- name: Cache DBs
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
Loading