Skip to content

Commit

Permalink
[Issue #2496] cache trivy (#2839)
Browse files Browse the repository at this point in the history
## Summary

Very nearly fixes #2496

### Time to review: __1 mins__

## Context for reviewers

I'm not committing to this 100% solving #2496 because the daily cronjob
can fail (on trivy rate limits) which would just mean we are back in the
same situation we have always been in. So I want to add tries on this
stuff because I can call the issue fully solved.

90% of the meat is this PR is pulled from Trivy's docs, I don't know
anything about the `oras` stuff
  • Loading branch information
coilysiren authored Nov 13, 2024
1 parent a43a399 commit 6619408
Showing 1 changed file with 45 additions and 0 deletions.
45 changes: 45 additions & 0 deletions .github/workflows/vulnerability-scans.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,48 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"

- name: Restore cached trivy vulnerability and Java DBs
id: trivy-cache
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: trivy-cache-${{ steps.date.outputs.date }}

# Download and extract the vulnerability DB and Java DB
# This is based on the instructions here:
# https://github.com/aquasecurity/trivy-action/?tab=readme-ov-file#updating-caches-in-the-default-branch

- name: Setup oras
if: steps.trivy-cache.outputs.cache-hit != 'true'
uses: oras-project/setup-oras@v1

- name: Download and extract the vulnerability DB
if: steps.trivy-cache.outputs.cache-hit != 'true'
run: |
mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db"
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db"
rm db.tar.gz
- name: Download and extract the Java DB
if: steps.trivy-cache.outputs.cache-hit != 'true'
run: |
mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db"
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db"
rm javadb.tar.gz
- name: Cache DBs
if: steps.trivy-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: trivy-cache-${{ steps.date.outputs.date }}

- name: Restore cached Docker image
uses: actions/cache/restore@v4
with:
Expand All @@ -116,6 +158,9 @@ jobs:
ignore-unfixed: true
vuln-type: os
scanners: vuln,secret
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true

- name: Save output to workflow summary
if: always() # Runs even if there is a failure
Expand Down

0 comments on commit 6619408

Please sign in to comment.