chore(ci): Use Trivy cache to avoid CI error #63
Conversation
WalkthroughA new GitHub Actions workflow file named Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (3)
.github/workflows/update-trivy-cache.yaml (3)
14-16: Minor improvement: Use double quotes in shell command.The shell command looks good, but it's a best practice to use double quotes around variable expansions to prevent potential issues with word splitting or globbing.
Consider updating the command as follows:
- run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"🧰 Tools
🪛 actionlint
16-16: shellcheck reported issue in this script: SC2086:info:1:36: Double quote to prevent globbing and word splitting
(shellcheck)
18-23: Improve shell script robustness and consider error handling.The step correctly handles potential failures by trying an alternative registry, which is good. However, there are a few improvements we can make:
- Use double quotes around variable expansions.
- Consider adding error handling for the extraction step.
Here's an improved version of the script:
run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db - oras pull ghcr.io/aquasecurity/trivy-db:2 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - rm db.tar.gz + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" + if ! (oras pull ghcr.io/aquasecurity/trivy-db:2 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-db:2); then + echo "Failed to pull Trivy database" >&2 + exit 1 + fi + if ! tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db"; then + echo "Failed to extract Trivy database" >&2 + exit 1 + fi + rm db.tar.gzWould you like me to implement these changes or provide any additional enhancements to improve error handling or logging?
🧰 Tools
🪛 actionlint
19-19: shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting
(shellcheck)
19-19: shellcheck reported issue in this script: SC2086:info:3:23: Double quote to prevent globbing and word splitting
(shellcheck)
32-36: LGTM: Caching step is well-implemented.The caching step is correctly implemented using the
actions/cache/save@v4action. The cache key includes the current date, which ensures that the cache is updated daily. This is a good practice for maintaining up-to-date vulnerability databases.Consider adding a step to list the contents of the cache directory before saving, which can help with debugging:
- name: List cache contents run: ls -R ${{ github.workspace }}/.cache/trivy - name: Cache DBs uses: actions/cache/save@v4 with: path: ${{ github.workspace }}/.cache/trivy key: cache-trivy-${{ steps.date.outputs.date }}
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
- .github/workflows/update-trivy-cache.yaml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/update-trivy-cache.yaml
16-16: shellcheck reported issue in this script: SC2086:info:1:36: Double quote to prevent globbing and word splitting
(shellcheck)
19-19: shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting
(shellcheck)
19-19: shellcheck reported issue in this script: SC2086:info:3:23: Double quote to prevent globbing and word splitting
(shellcheck)
26-26: shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting
(shellcheck)
26-26: shellcheck reported issue in this script: SC2086:info:3:27: Double quote to prevent globbing and word splitting
(shellcheck)
🔇 Additional comments (2)
.github/workflows/update-trivy-cache.yaml (2)
1-8: LGTM: Workflow name and triggers are well-defined.The workflow name accurately describes its purpose, and the triggers (daily schedule and manual) are appropriate for updating vulnerability databases.
1-36: Overall, this is a well-implemented workflow for updating the Trivy cache.The workflow successfully achieves its purpose of regularly updating and caching the Trivy vulnerability databases. It includes appropriate triggers, error handling, and caching mechanisms. The suggested improvements are minor and focus on shell scripting best practices and potential refactoring for better maintainability.
Great job on implementing this workflow to enhance the security scanning process in your CI/CD pipeline!
🧰 Tools
🪛 actionlint
16-16: shellcheck reported issue in this script: SC2086:info:1:36: Double quote to prevent globbing and word splitting
(shellcheck)
19-19: shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting
(shellcheck)
19-19: shellcheck reported issue in this script: SC2086:info:3:23: Double quote to prevent globbing and word splitting
(shellcheck)
26-26: shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting
(shellcheck)
26-26: shellcheck reported issue in this script: SC2086:info:3:27: Double quote to prevent globbing and word splitting
(shellcheck)
| - name: Download and extract the Java DB | ||
| run: | | ||
| mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db | ||
| oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1 | ||
| tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db | ||
| rm javadb.tar.gz |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Improve shell script and consider refactoring for DRY principle.
This step is structurally similar to the previous one, which is good for consistency. However, we can make some improvements:
- Use double quotes around variable expansions.
- Consider refactoring this step and the previous one to reduce duplication.
Here's an improved version of the script:
run: |
- mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
- oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1
- tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
- rm javadb.tar.gz
+ mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db"
+ if ! (oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1); then
+ echo "Failed to pull Java database" >&2
+ exit 1
+ fi
+ if ! tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db"; then
+ echo "Failed to extract Java database" >&2
+ exit 1
+ fi
+ rm javadb.tar.gzAdditionally, to reduce duplication, we could refactor both this step and the previous one into a reusable function or a separate action. Would you like assistance in implementing this refactoring?
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Download and extract the Java DB | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db | |
| oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1 | |
| tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db | |
| rm javadb.tar.gz | |
| - name: Download and extract the Java DB | |
| run: | | |
| mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" | |
| if ! (oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1); then | |
| echo "Failed to pull Java database" >&2 | |
| exit 1 | |
| fi | |
| if ! tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db"; then | |
| echo "Failed to extract Java database" >&2 | |
| exit 1 | |
| fi | |
| rm javadb.tar.gz |
🧰 Tools
🪛 actionlint
26-26: shellcheck reported issue in this script: SC2086:info:1:10: Double quote to prevent globbing and word splitting
(shellcheck)
26-26: shellcheck reported issue in this script: SC2086:info:3:27: Double quote to prevent globbing and word splitting
(shellcheck)
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (1)
.github/workflows/update-trivy-cache.yaml (1)
10-16: Minor improvement: Quote the echo argument.The job and step definitions look good. However, there's a minor improvement we can make to the echo command in the "Get current date" step:
- run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"This change adds quotes around
$GITHUB_OUTPUTto prevent potential issues with word splitting or globbing.🧰 Tools
🪛 actionlint
16-16: shellcheck reported issue in this script: SC2086:info:1:36: Double quote to prevent globbing and word splitting
(shellcheck)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
- .github/workflows/update-trivy-cache.yaml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/update-trivy-cache.yaml
16-16: shellcheck reported issue in this script: SC2086:info:1:36: Double quote to prevent globbing and word splitting
(shellcheck)
🔇 Additional comments (4)
.github/workflows/update-trivy-cache.yaml (4)
1-8: LGTM: Well-structured workflow configuration.The workflow name is descriptive, and the trigger configuration is appropriate for the task. The added comments provide valuable context for users, explaining the purpose of this workflow and how it relates to actual Trivy scans.
18-29: LGTM: Well-implemented database download and extraction.This step is robustly implemented with several noteworthy features:
- Proper directory creation with quoted paths.
- Fallback mechanism using two registries.
- Effective error handling for both pull and extract operations.
- Cleanup of the downloaded file after extraction.
- Correct use of quoting and error redirection.
These practices contribute to a reliable and maintainable workflow.
44-48: LGTM: Effective use of caching.This step makes good use of the
actions/cache/save@v4action to cache the downloaded databases. The cache key includes the current date, which ensures that the cache is updated daily. This approach is well-suited for the workflow's purpose of maintaining an up-to-date Trivy cache.
1-48: Overall, well-implemented workflow with minor improvement opportunities.This new workflow for updating the Trivy cache is well-structured and achieves its intended purpose effectively. Key strengths include:
- Clear naming and scheduling.
- Robust error handling and fallback mechanisms.
- Effective use of GitHub Actions features like outputs and caching.
There are a few minor improvements that could be made:
- Quoting the
$GITHUB_OUTPUTvariable in the "Get current date" step.- Refactoring the database download and extraction steps to reduce duplication.
These changes would further enhance the maintainability and robustness of the workflow. Great job on implementing this important CI/CD improvement!
🧰 Tools
🪛 actionlint
16-16: shellcheck reported issue in this script: SC2086:info:1:36: Double quote to prevent globbing and word splitting
(shellcheck)
| - name: Download and extract the Java DB | ||
| run: | | ||
| mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" | ||
| if ! (oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1); then | ||
| echo "Failed to pull Java database" >&2 | ||
| exit 1 | ||
| fi | ||
| if ! tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db"; then | ||
| echo "Failed to extract Java database" >&2 | ||
| exit 1 | ||
| fi | ||
| rm javadb.tar.gz |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Consider refactoring to reduce duplication.
This step is well-implemented and follows the same robust practices as the previous step. However, there's significant duplication between this step and the "Download and extract the vulnerability DB" step.
To improve maintainability, consider refactoring these steps into a reusable function or a composite action. This would reduce duplication and make future updates easier.
Here's a high-level suggestion for refactoring:
- Create a composite action (e.g.,
download-and-extract-db.yml) with inputs for the database name, directory, and registry URLs. - Replace both steps with calls to this new action.
Would you like assistance in implementing this refactoring?
Summary by CodeRabbit