ci: pull trivy DB from public AWS ECR (#84)

* ci: schedule and cache daily Trivy DB download * ci: disable DB download from Trivy action as already cached * ci: callable workflow * ci: pull trivy DB from public AWS ECR from the Aqua Security (Trivy maintainers) verified account * ci: do not schedule DB downloads
newrelic · Nov 12, 2024 · 8e5f750 · 8e5f750
1 parent e3a1d38
commit 8e5f750
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.github/workflows/reusable_security.yaml b/.github/workflows/reusable_security.yaml
@@ -34,6 +34,9 @@ jobs:
           severity: 'HIGH,CRITICAL'
           skip-dirs: "${{ inputs.skip-dirs }}"
           skip-files: "${{ inputs.skip-files }}"
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Run Trivy vulnerability scanner sarif output
         uses: aquasecurity/[email protected]
@@ -47,6 +50,9 @@ jobs:
           output: 'trivy-results.sarif'
           skip-dirs: "${{ inputs.skip-dirs }}"
           skip-files: "${{ inputs.skip-files }}"
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3