From cf8f8ef27cbd93b88a0c17f06f750f9a924923cb Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Tue, 17 Dec 2024 16:15:18 +0300 Subject: [PATCH 1/2] bump latest release and remove update db workflow --- .github/workflows/trivy-security-scan.yml | 2 ++ .github/workflows/update-trivy-db.yml | 32 ----------------------- 2 files changed, 2 insertions(+), 32 deletions(-) delete mode 100644 .github/workflows/update-trivy-db.yml diff --git a/.github/workflows/trivy-security-scan.yml b/.github/workflows/trivy-security-scan.yml index 26bc5d79cb..fcb51baefd 100644 --- a/.github/workflows/trivy-security-scan.yml +++ b/.github/workflows/trivy-security-scan.yml @@ -48,6 +48,7 @@ jobs: if: github.event.client_payload.image != '' uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: + version: 'v0.57.2' image-ref: ${{ github.event.client_payload.image }} cache: 'true' format: "sarif" @@ -72,6 +73,7 @@ jobs: - name: Run Trivy filesystem scan uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: + version: 'v0.57.2' scan-type: 'fs' cache: 'true' format: 'sarif' diff --git a/.github/workflows/update-trivy-db.yml b/.github/workflows/update-trivy-db.yml deleted file mode 100644 index 837f170c03..0000000000 --- a/.github/workflows/update-trivy-db.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. -# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. -name: Update Trivy Cache - -on: - schedule: - - cron: '0 0 * * *' # Run daily at midnight UTC - workflow_dispatch: # Allow manual triggering - -jobs: - update-trivy-db: - runs-on: ubuntu-latest - steps: - - name: Setup oras - uses: oras-project/setup-oras@v1 - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Download and extract the vulnerability DB - run: | - mkdir -p .cache/trivy/db - oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C .cache/trivy/db - rm db.tar.gz - - - name: Cache DBs - uses: actions/cache/save@v4 - with: - path: .cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} From 7cf13438047a4b7ceccfcf3201700ef62814bc2a Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Sat, 21 Dec 2024 14:06:51 +0300 Subject: [PATCH 2/2] remove skip DB update env, and use 'latest' release --- .github/workflows/trivy-security-scan.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/trivy-security-scan.yml b/.github/workflows/trivy-security-scan.yml index fcb51baefd..12be79ccb4 100644 --- a/.github/workflows/trivy-security-scan.yml +++ b/.github/workflows/trivy-security-scan.yml @@ -48,7 +48,7 @@ jobs: if: github.event.client_payload.image != '' uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: - version: 'v0.57.2' + version: 'latest' image-ref: ${{ github.event.client_payload.image }} cache: 'true' format: "sarif" @@ -59,8 +59,6 @@ jobs: severity: "CRITICAL,HIGH" env: TRIVY_CACHE_DIR: .cache/trivy - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true # Upload image scan results - name: Upload Trivy image scan results @@ -73,7 +71,7 @@ jobs: - name: Run Trivy filesystem scan uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: - version: 'v0.57.2' + version: 'latest' scan-type: 'fs' cache: 'true' format: 'sarif' @@ -82,8 +80,6 @@ jobs: ignore-unfixed: true env: TRIVY_CACHE_DIR: .cache/trivy - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true # Upload filesystem scan results - name: Upload Trivy filesystem scan results