-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup Trivy caching of config file #764
Conversation
I don't understand the logic for why we need to keep the cache warm. If the Trivy scan isn't used more than once a week and the cache is cleared resulting in a cache miss on the next run, what's the problem with that? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like they beat you to it: https://github.com/aquasecurity/trivy-action/pull/399/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5
Seems like we can close this
For anyone reviewing, this is the PR I based this off of, we need to setup caching in the action. From the conversation in Slack:
|
TRIVY_SKIP_DB_UPDATE: true | ||
TRIVY_SKIP_JAVA_DB_UPDATE: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this will fail if the cache is missing. This could block PRs or any updates to child repos until the cache workflow is merged and ran
@Nava-JoshLong re-reviewing the code from https://github.com/aquasecurity/trivy-action/pull/399/files it still seems like we can just not do anything and have things cached to the day by default. Are you seeing anything different? Is there a way we can just test this hypothesis without any custom code changes? i.e. just open a PR, run trivy scan on main, then run trivy scan on the PR and check the logs in the second run to see that it was a cache hit |
We can't run workflows on main unless they are merged into main, we'd have to open a PR with just the new workflow to cache to main. I'm working on some logic that'd check if that cache exists, then sets the env variables so we are catching the error when it is a first run |
Logic that handles setting env var when the cache is missing
|
Closing for now, the default behavior of trivy caching will help 90% of repos as is |
Ticket
Resolves #{TICKET NUMBER OR URL}
Changes
Context for reviewers
The trivy action has a known issue where the host of the config file for the action is overwhelmed and causing timeout and failures. There was an update, and their official documentation recommend to use caching of the file, at least at daily, and use that cached file to reduce the load on the hosts.
This PR introduces a new cron workflow to cache that file (and any other scanner files we want to cache in the future), and then updates the trivy action to use that cached file. The cache needs to be used once a week, or the cache needs to have less than 5GB stored, or the older files will be removed, so we want to keep the cache warm for this file
Testing
Testing will be ran from the workflow once the PR is opened (looks like I need to trigger it manually). I'll link those runs once done. I'm looking at the trivy code to see if it will cache for us on first run, or if we need to run the cache workflow first