fix(ci): Fix Trivy TOOMANYREQUESTS errors (#244)

Tiryoh · Oct 9, 2024 · 4c7f5e4 · 4c7f5e4
1 parent 5fb381e
commit 4c7f5e4
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 18 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -10,6 +10,7 @@ on:
       - "**/Dockerfile"
       - "poetry.lock"
       - "pyproject.toml"
+      - "requirements.txt"
       - ".github/workflows/test.yaml"
 
 env:
@@ -47,23 +48,6 @@ jobs:
         with:
           name: build-log-${{ matrix.target }}
           path: build_log
-      # - name: Install Trivy
-      #   run: |
-      #     sudo apt-get install apt-transport-https gnupg
-      #     wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-      #     echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
-      #     sudo apt-get update
-      #     sudo apt-get install trivy
-      # - name: Install Trivy template
-      #   uses: actions/checkout@v4
-      #   with:
-      #     repository: aquasecurity/trivy
-      #     path: trivy
-      # - name: Vulnerability Scan with Trivy
-      #   env:
-      #     DOCKER_LABEL: ${{ matrix.target }}
-      #   run: |
-      #     trivy image --format template --template "@trivy/contrib/sarif.tpl" --exit-code 0 --vuln-type os,library --severity CRITICAL,HIGH --output trivy-results.sarif --no-progress $DOCKER_USERNAME/$DOCKER_IMAGENAME:$DOCKER_LABEL
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -74,8 +58,11 @@ jobs:
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
           wait-for-processing: true
diff --git a/.github/workflows/update-trivy-cache.yaml b/.github/workflows/update-trivy-cache.yaml
@@ -0,0 +1,38 @@
+# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 1 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/tiryoh/aquasecurity/trivy-db:2 || echo "err"
+          oras pull ghcr.io/aquasecurity/trivy-db:2 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras copy ghcr.io/aquasecurity/trivy-java-db:1 ghcr.io/tiryoh/aquasecurity/trivy-java-db:1 || echo "err"
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}