From 3da51853fc251db746b736ce3ff3a9b12d6f275c Mon Sep 17 00:00:00 2001 From: Daisuke Sato Date: Thu, 10 Oct 2024 01:53:00 +0900 Subject: [PATCH] chore(ci): Save Trivy cache (#182) --- .github/workflows/update-trivy-cache.yaml | 38 +++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/update-trivy-cache.yaml diff --git a/.github/workflows/update-trivy-cache.yaml b/.github/workflows/update-trivy-cache.yaml new file mode 100644 index 0000000..7e2c6dd --- /dev/null +++ b/.github/workflows/update-trivy-cache.yaml @@ -0,0 +1,38 @@ +# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. +name: Update Trivy Cache + +on: + schedule: + - cron: '0 1 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/tiryoh/aquasecurity/trivy-db:2 || echo "err" + oras pull ghcr.io/aquasecurity/trivy-db:2 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras copy ghcr.io/aquasecurity/trivy-java-db:1 ghcr.io/tiryoh/aquasecurity/trivy-java-db:1 || echo "err" + oras pull ghcr.io/aquasecurity/trivy-java-db:1 || oras pull ghcr.io/tiryoh/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }}