diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 01014f2bc..c5ec4fe5a 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -94,6 +94,48 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" + + - name: Restore cached trivy vulnerability and Java DBs + id: trivy-cache + uses: actions/cache/restore@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: trivy-cache-${{ steps.date.outputs.date }} + + # Download and extract the vulnerability DB and Java DB + # This is based on the instructions here: + # https://github.com/aquasecurity/trivy-action/?tab=readme-ov-file#updating-caches-in-the-default-branch + + - name: Setup oras + if: steps.trivy-cache.outputs.cache-hit != 'true' + uses: oras-project/setup-oras@v1 + + - name: Download and extract the vulnerability DB + if: steps.trivy-cache.outputs.cache-hit != 'true' + run: | + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db" + rm db.tar.gz + + - name: Download and extract the Java DB + if: steps.trivy-cache.outputs.cache-hit != 'true' + run: | + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db" + rm javadb.tar.gz + + - name: Cache DBs + if: steps.trivy-cache.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: trivy-cache-${{ steps.date.outputs.date }} + - name: Restore cached Docker image uses: actions/cache/restore@v4 with: @@ -116,6 +158,9 @@ jobs: ignore-unfixed: true vuln-type: os scanners: vuln,secret + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Save output to workflow summary if: always() # Runs even if there is a failure