From 6422703ee045be32608848d7c87009bd637b6001 Mon Sep 17 00:00:00 2001 From: Steven Bal Date: Fri, 1 Nov 2024 09:27:21 +0100 Subject: [PATCH] :construction_worker: [maykinmedia/objects-api#463] Fix trivy rate limiting errors --- .github/workflows/ci.yml | 4 ++++ .github/workflows/trivy.yml | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33d9e12..d0e1374 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -132,6 +132,10 @@ jobs: format: 'sarif' output: 'trivy-results-docker.sarif' ignore-unfixed: true + env: + # Uses the cache from trivy.yml workflow + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload results to GH Security tab uses: github/codeql-action/upload-sarif@v3 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..df01b2f --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,37 @@ +name: Update Trivy Cache + +on: + workflow_call: # This allows other workflows to call it + inputs: # Define any inputs if necessary (optional) + manual_trigger: + required: false + type: boolean + default: false + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }}