fix: update trivy scan action with fallback db (rate-limiting)

hotosm · Oct 24, 2024 · ecddb6d · ecddb6d
1 parent 62971f2
commit ecddb6d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/.github/workflows/image_build.yml b/.github/workflows/image_build.yml
@@ -196,11 +196,15 @@ jobs:
 
     steps:
       - name: Scan Container Image
-        uses: aquasecurity/trivy-action@0.23.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           image-ref: ${{ needs.build-image.outputs.image_name }}
           format: "table"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL"
+        # Avoid rate-limiting, see: https://github.com/aquasecurity/trivy-action/issues/389
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
diff --git a/.github/workflows/image_build_multi.yml b/.github/workflows/image_build_multi.yml
@@ -257,11 +257,15 @@ jobs:
 
     steps:
       - name: Scan Container Image
-        uses: aquasecurity/trivy-action@0.23.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           image-ref: ${{ needs.build-images.outputs.image_name }}
           format: "table"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL"
+        # Avoid rate-limiting, see: https://github.com/aquasecurity/trivy-action/issues/389
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db