Skip to content

Commit

Permalink
fix(ci): Fix Trivy TOOMANYREQUESTS errors
Browse files Browse the repository at this point in the history
  • Loading branch information
Tiryoh authored Oct 8, 2024
1 parent 5fb381e commit 94c0e53
Showing 1 changed file with 20 additions and 20 deletions.
40 changes: 20 additions & 20 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- "**/Dockerfile"
- "poetry.lock"
- "pyproject.toml"
- "requirements.txt"
- ".github/workflows/test.yaml"

env:
Expand Down Expand Up @@ -47,35 +48,34 @@ jobs:
with:
name: build-log-${{ matrix.target }}
path: build_log
# - name: Install Trivy
# run: |
# sudo apt-get install apt-transport-https gnupg
# wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
# echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
# sudo apt-get update
# sudo apt-get install trivy
# - name: Install Trivy template
# uses: actions/checkout@v4
# with:
# repository: aquasecurity/trivy
# path: trivy
# - name: Vulnerability Scan with Trivy
# env:
# DOCKER_LABEL: ${{ matrix.target }}
# run: |
# trivy image --format template --template "@trivy/contrib/sarif.tpl" --exit-code 0 --vuln-type os,library --severity CRITICAL,HIGH --output trivy-results.sarif --no-progress $DOCKER_USERNAME/$DOCKER_IMAGENAME:$DOCKER_LABEL
## To avoid the trivy-db becoming outdated, save the cache only for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }}:${{ matrix.target }}'
exit-code: '0'
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
cache-dir: "./cache"
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
wait-for-processing: true

0 comments on commit 94c0e53

Please sign in to comment.