mirror of https://github.com/dexidp/dex.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.4 KiB
42 lines
1.4 KiB
# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. |
|
# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. |
|
name: Update Trivy Cache |
|
|
|
on: |
|
schedule: |
|
- cron: '0 0 * * *' # Run daily at midnight UTC |
|
workflow_dispatch: # Allow manual triggering |
|
|
|
permissions: |
|
contents: read |
|
|
|
jobs: |
|
update-trivy-db: |
|
runs-on: ubuntu-latest |
|
steps: |
|
- name: Setup oras |
|
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 |
|
|
|
- name: Get current date |
|
id: date |
|
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT |
|
|
|
- name: Download and extract the vulnerability DB |
|
run: | |
|
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db |
|
oras pull ghcr.io/aquasecurity/trivy-db:2 |
|
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db |
|
rm db.tar.gz |
|
|
|
- name: Download and extract the Java DB |
|
run: | |
|
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db |
|
oras pull ghcr.io/aquasecurity/trivy-java-db:1 |
|
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db |
|
rm javadb.tar.gz |
|
|
|
- name: Cache DBs |
|
uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 |
|
with: |
|
path: ${{ github.workspace }}/.cache/trivy |
|
key: cache-trivy-${{ steps.date.outputs.date }}
|
|
|