add trivy cache #63
add trivy cache #63
Conversation
sam-trace
requested review from
JBAhire,
aaron-steinfeld,
kotharironak and
ravisingal
as code owners
| shell: sh | ||
| id: date | ||
| run: | | ||
| echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
If we're putting the date into the cache, what's the point? It's just going to accumulate cache entries. I would suggest we make caching optional.
There was a problem hiding this comment.
removed caching . since vulnerabilities are updated daily, we cannot cache it after a day.
There was a problem hiding this comment.
How does pulling this manually via oras help? the rate limit is on ghcr. In the linked thread, they suggest you can just use their public ECR instead which can be passed as a flag.
There was a problem hiding this comment.
TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
Seems like this should fallback to the public ECR (should be a similar one for the java db). There's also rate limiting there but we can either set up a user or just hope that having two options should be good enough.
trivy-fs-scan/action.yaml
Outdated
| rm javadb.tar.gz | ||
|
|
||
| - name: Cache DBs | ||
| uses: actions/cache/save@v4 |
There was a problem hiding this comment.
There's no cache restore in this flow. It's atypical to use cache save directly, but if if we're going to we should be doing a restore on cache hit.
Description
trivy scans are failing because of db download. this is a fix to the below issue
aquasecurity/trivy#7668