From db412b2d3966c7713879386c73b4cee18892956e Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 3 Oct 2024 14:11:47 +0600 Subject: [PATCH 1/2] docs: add info about using `action/cache` for `trivy-db` --- README.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/README.md b/README.md index 2a2ca84..c1c5673 100644 --- a/README.md +++ b/README.md @@ -123,6 +123,55 @@ jobs: severity: 'CRITICAL,HIGH' ``` +### Using cache for trivy-db +Recently, there has been an increase in cases of receiving the `TOOMANYREQUESTS` error when downloading the `trivy-db`. + +If you’re performing multiple scans, it makes sense to use [action/cache](https://github.com/actions/cache) to cache the `trivy-db`. + +The example below saves the trivy-db for each day: +```yaml +name: build +on: + push: + branches: + - main + pull_request: + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + + ## To avoid the trivy-db becoming outdated, we save the cache for one day + - name: Get data + id: date + run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT + + - name: Restore trivy cache + uses: actions/cache@v4 + with: + path: cache/db + key: trivy-cache-${{ steps.date.outputs.date }} + restore-keys: + trivy-cache- + + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + cache-dir: "./cache" + + ## Trivy-db uses `0600` permissions. + ## But `action/cache` use `runner` user by default + ## So we need to change the permissions before caching the database. + - name: change permissions for trivy.db + run: sudo chmod 0644 ./cache/db/trivy.db +``` + ### Using Trivy with GitHub Code Scanning If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml From 097bbadd58c622c8a88d3b17f3493f4bc8a87194 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 3 Oct 2024 14:27:44 +0600 Subject: [PATCH 2/2] docs: add info about trivy-java-db and trivy-checks --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c1c5673..54498d5 100644 --- a/README.md +++ b/README.md @@ -123,12 +123,13 @@ jobs: severity: 'CRITICAL,HIGH' ``` -### Using cache for trivy-db -Recently, there has been an increase in cases of receiving the `TOOMANYREQUESTS` error when downloading the `trivy-db`. +### Using cache for Trivy databases +Recently, there has been an increase in cases of receiving the `TOOMANYREQUESTS` error when downloading the Trivy databases (`trivy-db`, `trivy-java-db` and `trivy-checks`). -If you’re performing multiple scans, it makes sense to use [action/cache](https://github.com/actions/cache) to cache the `trivy-db`. +If you’re performing multiple scans, it makes sense to use [action/cache](https://github.com/actions/cache) to cache one or more databases. + +The example below saves the `trivy-db` for each day in the cache: -The example below saves the trivy-db for each day: ```yaml name: build on: