From ede88293fde6361b9492560b7fbd6f21c25bc894 Mon Sep 17 00:00:00 2001 From: Paul Swartz Date: Thu, 31 Oct 2024 15:58:49 -0400 Subject: [PATCH] ci: cache the Trivy database (#12) --- .github/workflows/deploy-to-ghcr.yml | 3 ++ .github/workflows/update-trivy-cache.yml | 38 ++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 .github/workflows/update-trivy-cache.yml diff --git a/.github/workflows/deploy-to-ghcr.yml b/.github/workflows/deploy-to-ghcr.yml index 3d88c5d..6ffec0c 100644 --- a/.github/workflows/deploy-to-ghcr.yml +++ b/.github/workflows/deploy-to-ghcr.yml @@ -45,3 +45,6 @@ jobs: with: image-ref: ${{ env.TAG }} trivy-config: trivy.yml + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/update-trivy-cache.yml new file mode 100644 index 0000000..dc88eec --- /dev/null +++ b/.github/workflows/update-trivy-cache.yml @@ -0,0 +1,38 @@ +# from https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }}