chore: Setup Trivy cache (#1377)

pluralsh · Oct 10, 2024 · 4e702a0 · 4e702a0
1 parent 3b19b0d
commit 4e702a0
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 0 deletions.
diff --git a/.github/workflows/ai.yaml b/.github/workflows/ai.yaml
@@ -69,6 +69,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
            #severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -94,6 +94,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
            #severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
@@ -119,6 +122,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
           #severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:

diff --git a/.github/workflows/trivy-artifact-scan.yaml b/.github/workflows/trivy-artifact-scan.yaml
@@ -35,6 +35,9 @@ jobs:
           security-checks: 'vuln,secret,config'
           ignore-unfixed: true
           #severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:

diff --git a/.github/workflows/trivy-cache.yaml b/.github/workflows/trivy-cache.yaml
@@ -0,0 +1,34 @@
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/.github/workflows/www.yaml b/.github/workflows/www.yaml
@@ -63,6 +63,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
            #severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
@@ -88,6 +91,9 @@ jobs:
           security-checks: 'vuln,secret'
           ignore-unfixed: true
           #severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with: