From 1bcc6940ced69faca7aa7fa7b8f2440ccb932350 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20S=C3=A1nchez?= Date: Thu, 7 Nov 2024 21:27:03 +0000 Subject: [PATCH 1/5] ci: schedule and cache daily Trivy DB download --- .github/workflows/download_trivy_db.yaml | 40 ++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/download_trivy_db.yaml diff --git a/.github/workflows/download_trivy_db.yaml b/.github/workflows/download_trivy_db.yaml new file mode 100644 index 0000000..9fd913b --- /dev/null +++ b/.github/workflows/download_trivy_db.yaml @@ -0,0 +1,40 @@ +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Update daily at 00:00 - before scheduled trivy scan + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-22.04 + steps: + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + # try GHCR, fallback to ECR + { oras pull ghcr.io/aquasecurity/trivy-db:2 } || { oras pull public.ecr.aws/aquasecurity/trivy-db:2 } + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + # Also recommended by trivy docs for non-java projects as jars could be embedded in unexpected places + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + # try GHCR, fallback to ECR + { oras pull ghcr.io/aquasecurity/trivy-java-db:1 } || { oras pull public.ecr.aws/aquasecurity/trivy-java-db:1 } + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} From f2cec2054253552c2da562f5141cadcb7d2063fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20S=C3=A1nchez?= Date: Thu, 7 Nov 2024 21:30:52 +0000 Subject: [PATCH 2/5] ci: disable DB download from Trivy action as already cached --- .github/workflows/reusable_security.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/reusable_security.yaml b/.github/workflows/reusable_security.yaml index 3ef54bf..e98f4e7 100644 --- a/.github/workflows/reusable_security.yaml +++ b/.github/workflows/reusable_security.yaml @@ -34,6 +34,10 @@ jobs: severity: 'HIGH,CRITICAL' skip-dirs: "${{ inputs.skip-dirs }}" skip-files: "${{ inputs.skip-files }}" + env: + # dbs are downloaded async in download_trivy_db.yml + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Run Trivy vulnerability scanner sarif output uses: aquasecurity/trivy-action@0.28.0 @@ -47,6 +51,10 @@ jobs: output: 'trivy-results.sarif' skip-dirs: "${{ inputs.skip-dirs }}" skip-files: "${{ inputs.skip-files }}" + env: + # dbs are downloaded async in download_trivy_db.yml + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 1f03e76f865749e8f92eee74522f9831ef0b6690 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20S=C3=A1nchez?= Date: Mon, 11 Nov 2024 17:18:19 +0000 Subject: [PATCH 3/5] ci: callable workflow --- .github/workflows/download_trivy_db.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/download_trivy_db.yaml b/.github/workflows/download_trivy_db.yaml index 9fd913b..4ea7744 100644 --- a/.github/workflows/download_trivy_db.yaml +++ b/.github/workflows/download_trivy_db.yaml @@ -4,6 +4,7 @@ on: schedule: - cron: '0 0 * * *' # Update daily at 00:00 - before scheduled trivy scan workflow_dispatch: # Allow manual triggering + workflow_call: # Allow being called jobs: update-trivy-db: From bb741a1cf20f2ab4031fc702eb6042cab9952ece Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20S=C3=A1nchez?= Date: Tue, 12 Nov 2024 12:36:57 +0000 Subject: [PATCH 4/5] ci: pull trivy DB from public AWS ECR from the Aqua Security (Trivy maintainers) verified account --- .github/workflows/reusable_security.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/reusable_security.yaml b/.github/workflows/reusable_security.yaml index e98f4e7..209fef5 100644 --- a/.github/workflows/reusable_security.yaml +++ b/.github/workflows/reusable_security.yaml @@ -35,9 +35,8 @@ jobs: skip-dirs: "${{ inputs.skip-dirs }}" skip-files: "${{ inputs.skip-files }}" env: - # dbs are downloaded async in download_trivy_db.yml - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db - name: Run Trivy vulnerability scanner sarif output uses: aquasecurity/trivy-action@0.28.0 @@ -52,9 +51,8 @@ jobs: skip-dirs: "${{ inputs.skip-dirs }}" skip-files: "${{ inputs.skip-files }}" env: - # dbs are downloaded async in download_trivy_db.yml - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From cf26b085514043cec8a5ed57f2a3a20748aa0bb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20S=C3=A1nchez?= Date: Tue, 12 Nov 2024 12:38:05 +0000 Subject: [PATCH 5/5] ci: do not schedule DB downloads --- .github/workflows/download_trivy_db.yaml | 41 ------------------------ 1 file changed, 41 deletions(-) delete mode 100644 .github/workflows/download_trivy_db.yaml diff --git a/.github/workflows/download_trivy_db.yaml b/.github/workflows/download_trivy_db.yaml deleted file mode 100644 index 4ea7744..0000000 --- a/.github/workflows/download_trivy_db.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: Update Trivy Cache - -on: - schedule: - - cron: '0 0 * * *' # Update daily at 00:00 - before scheduled trivy scan - workflow_dispatch: # Allow manual triggering - workflow_call: # Allow being called - -jobs: - update-trivy-db: - runs-on: ubuntu-22.04 - steps: - - name: Setup oras - uses: oras-project/setup-oras@v1 - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Download and extract the vulnerability DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db - # try GHCR, fallback to ECR - { oras pull ghcr.io/aquasecurity/trivy-db:2 } || { oras pull public.ecr.aws/aquasecurity/trivy-db:2 } - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db - rm db.tar.gz - - # Also recommended by trivy docs for non-java projects as jars could be embedded in unexpected places - - name: Download and extract the Java DB - run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db - # try GHCR, fallback to ECR - { oras pull ghcr.io/aquasecurity/trivy-java-db:1 } || { oras pull public.ecr.aws/aquasecurity/trivy-java-db:1 } - tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db - rm javadb.tar.gz - - - name: Cache DBs - uses: actions/cache/save@v4 - with: - path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }}