From 586e88abf18777245eb5752143a878bfc20de7c0 Mon Sep 17 00:00:00 2001 From: Pat Heard Date: Thu, 10 Oct 2024 10:19:23 -0400 Subject: [PATCH] fix: use CDS Trivy vulnerability database Update the Docker scan actions to use a self-hosted Trivy vulnerability database. This is being done to address the rate limiting of the publicly hosted database. --- .github/workflows/docker-vulnerability-scan.yml | 4 +++- .github/workflows/docker.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-vulnerability-scan.yml b/.github/workflows/docker-vulnerability-scan.yml index 4123f70ce2..a182a7bda0 100644 --- a/.github/workflows/docker-vulnerability-scan.yml +++ b/.github/workflows/docker-vulnerability-scan.yml @@ -32,7 +32,9 @@ jobs: registry-type: public - name: Docker vulnerability scan - uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4 + uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0 + env: + TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }} with: docker_image: "${{ env.DOCKER_SLUG }}:latest" dockerfile_path: "ci/Dockerfile" diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index e458c23e95..2e75f37175 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -103,7 +103,9 @@ jobs: TOKEN: ${{ steps.notify-pr-bot.outputs.token }} - name: Docker generate SBOM - uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4 + uses: cds-snc/security-tools/.github/actions/generate-sbom@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0 + env: + TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }} with: docker_image: "${{ env.DOCKER_SLUG }}:latest" dockerfile_path: "ci/Dockerfile"