feat: add cron-job to update Trivy (#256)

**Proposed Changes** Added cron-job to update Trivy's database daily and store it in cache I submit this contribution under the Apache-2.0 license.
Checkmarx · Nov 13, 2024 · d3bf5da · d3bf5da
1 parent 7ef3b34
commit d3bf5da
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 11 deletions.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -32,7 +32,6 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
-
 
   trivy-scanning:
     runs-on: ubuntu-latest
@@ -48,17 +47,20 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64
           push: false
-          tags: |
-            checkmarx/2ms:scanme
+          tags: checkmarx/2ms:scanme
+
+      - name: Run Trivy Scan
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        with:
+          image-ref: checkmarx/2ms:scanme
+          vuln-type: os,library
+          format: table
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH,MEDIUM,LOW
+          trivy-config: trivy.yaml
+          exit-code: '1'
+
 
-      - name: Install trivy and Run it
-        run: |
-          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
-          sudo apt-get update && sudo apt-get install -y trivy
-          trivy image checkmarx/2ms:scanme --exit-code 1 \
-          --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM,LOW --vex ./ignore.openvex
-  
   secret-scanning:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/update-trivy-cron.yml b/.github/workflows/update-trivy-cron.yml
@@ -0,0 +1,37 @@
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run daily at midnight UTC
+  workflow_dispatch: # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.2.1
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,3 @@
+vulnerability:
+  vex:
+  - ignore.openvex