diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 2987597..23cf71f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -48,17 +48,6 @@ jobs: with: name: build-log-${{ matrix.target }} path: build_log - ## To avoid the trivy-db becoming outdated, save the cache only for one day - - name: Get date - id: date - run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT - - name: Restore trivy cache - uses: actions/cache@v4 - with: - path: cache/db - key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -69,12 +58,9 @@ jobs: format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - cache-dir: "./cache" - ## Trivy-db uses `0600` permissions. - ## But `action/cache` use `runner` user by default - ## So we need to change the permissions before caching the database. - - name: Change permissions for trivy.db - run: sudo chmod 0644 ./cache/db/trivy.db + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: diff --git a/.github/workflows/update-trivy-cache.yaml b/.github/workflows/update-trivy-cache.yaml new file mode 100644 index 0000000..83fc92f --- /dev/null +++ b/.github/workflows/update-trivy-cache.yaml @@ -0,0 +1,36 @@ +# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. +name: Update Trivy Cache + +on: + schedule: + - cron: '0 1 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file