From 66194082c2bd1b052d5b52f6c239af53b41acc94 Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Wed, 13 Nov 2024 13:09:43 -0800 Subject: [PATCH] [Issue #2496] cache trivy (#2839) ## Summary Very nearly fixes #2496 ### Time to review: __1 mins__ ## Context for reviewers I'm not committing to this 100% solving #2496 because the daily cronjob can fail (on trivy rate limits) which would just mean we are back in the same situation we have always been in. So I want to add tries on this stuff because I can call the issue fully solved. 90% of the meat is this PR is pulled from Trivy's docs, I don't know anything about the `oras` stuff --- .github/workflows/vulnerability-scans.yml | 45 +++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 01014f2bc..c5ec4fe5a 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -94,6 +94,48 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" + + - name: Restore cached trivy vulnerability and Java DBs + id: trivy-cache + uses: actions/cache/restore@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: trivy-cache-${{ steps.date.outputs.date }} + + # Download and extract the vulnerability DB and Java DB + # This is based on the instructions here: + # https://github.com/aquasecurity/trivy-action/?tab=readme-ov-file#updating-caches-in-the-default-branch + + - name: Setup oras + if: steps.trivy-cache.outputs.cache-hit != 'true' + uses: oras-project/setup-oras@v1 + + - name: Download and extract the vulnerability DB + if: steps.trivy-cache.outputs.cache-hit != 'true' + run: | + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db" + rm db.tar.gz + + - name: Download and extract the Java DB + if: steps.trivy-cache.outputs.cache-hit != 'true' + run: | + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db" + rm javadb.tar.gz + + - name: Cache DBs + if: steps.trivy-cache.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: trivy-cache-${{ steps.date.outputs.date }} + - name: Restore cached Docker image uses: actions/cache/restore@v4 with: @@ -116,6 +158,9 @@ jobs: ignore-unfixed: true vuln-type: os scanners: vuln,secret + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Save output to workflow summary if: always() # Runs even if there is a failure