|
|
|
|
@ -192,12 +192,35 @@ jobs:
|
|
|
|
|
push-to-registry: true |
|
|
|
|
if: inputs.publish |
|
|
|
|
|
|
|
|
|
## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397 |
|
|
|
|
## To avoid the trivy-db becoming outdated, we save the cache for one day |
|
|
|
|
- name: Get data |
|
|
|
|
id: date |
|
|
|
|
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT |
|
|
|
|
|
|
|
|
|
- name: Restore trivy cache |
|
|
|
|
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # 4.1.2 |
|
|
|
|
with: |
|
|
|
|
path: cache/db |
|
|
|
|
key: trivy-cache-${{ steps.date.outputs.date }} |
|
|
|
|
restore-keys: |
|
|
|
|
trivy-cache- |
|
|
|
|
|
|
|
|
|
- name: Run Trivy vulnerability scanner |
|
|
|
|
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 |
|
|
|
|
with: |
|
|
|
|
input: image |
|
|
|
|
format: sarif |
|
|
|
|
output: trivy-results.sarif |
|
|
|
|
scan-type: 'fs' |
|
|
|
|
scan-ref: '.' |
|
|
|
|
cache-dir: "./cache" |
|
|
|
|
|
|
|
|
|
## Trivy-db uses `0600` permissions. |
|
|
|
|
## But `action/cache` use `runner` user by default |
|
|
|
|
## So we need to change the permissions before caching the database. |
|
|
|
|
- name: change permissions for trivy.db |
|
|
|
|
run: sudo chmod 0644 ./cache/db/trivy.db |
|
|
|
|
|
|
|
|
|
- name: Upload Trivy scan results as artifact |
|
|
|
|
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 |
|
|
|
|
|
Maksim Nabokikh
1 year ago
committed by
GitHub