Add db-trivy from another DB
This commit is contained in:
parent
1d0bcb5c39
commit
5ab63cfe46
GPG Key ID:
531E723EED721D7C
46
.gitea/workflows/db-trivy.yaml
Normal file
46
.gitea/workflows/db-trivy.yaml
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
|
||||||
|
# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
|
||||||
|
name: Update Trivy Cache
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: '0 0 * * *' # Run daily at midnight UTC
|
||||||
|
workflow_dispatch: # Allow manual triggering
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
update-trivy-db:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get current date
|
||||||
|
id: date
|
||||||
|
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
|
- name: Install Oras
|
||||||
|
id: oras
|
||||||
|
run: |
|
||||||
|
VERSION="1.2.0"
|
||||||
|
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
|
||||||
|
mkdir -p oras-install/
|
||||||
|
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
|
||||||
|
sudo mv oras-install/oras /usr/local/bin/
|
||||||
|
rm -rf oras_${VERSION}_*.tar.gz oras-install/
|
||||||
|
|
||||||
|
- name: Download and extract the vulnerability DB
|
||||||
|
run: |
|
||||||
|
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
|
||||||
|
oras pull public.ecr.aws/aquasecurity/trivy-db:2
|
||||||
|
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
|
||||||
|
rm db.tar.gz
|
||||||
|
|
||||||
|
- name: Download and extract the Java DB
|
||||||
|
run: |
|
||||||
|
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
|
||||||
|
oras pull public.ecr.aws/aquasecurity/trivy-java-db:1
|
||||||
|
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
|
||||||
|
rm javadb.tar.gz
|
||||||
|
|
||||||
|
- name: Cache DBs
|
||||||
|
uses: actions/cache/save@v4
|
||||||
|
with:
|
||||||
|
path: ${{ github.workspace }}/.cache/trivy
|
||||||
|
key: cache-trivy-${{ steps.date.outputs.date }}
|
||||||
@ -52,7 +52,7 @@ jobs:
|
|||||||
${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:v0.2.19
|
${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:v0.2.19
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner
|
- name: Run Trivy vulnerability scanner
|
||||||
uses: aquasecurity/trivy-action@master
|
uses: aquasecurity/trivy-action@0.27.0
|
||||||
with:
|
with:
|
||||||
image-ref: ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:latest
|
image-ref: ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:latest
|
||||||
format: 'table'
|
format: 'table'
|
||||||
@ -60,6 +60,11 @@ jobs:
|
|||||||
ignore-unfixed: true
|
ignore-unfixed: true
|
||||||
vuln-type: 'os'
|
vuln-type: 'os'
|
||||||
severity: 'CRITICAL,HIGH'
|
severity: 'CRITICAL,HIGH'
|
||||||
|
env:
|
||||||
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
|
||||||
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
|
||||||
|
TRIVY_SKIP_DB_UPDATE: false
|
||||||
|
TRIVY_SKIP_JAVA_DB_UPDATE: false
|
||||||
|
|
||||||
- name: Push Docker image
|
- name: Push Docker image
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user