Use ECR-hosted Trivy DB rather than public image (#262)

To avoid getting caught by rate limiting on the public resource. #patch
ministryofjustice · Oct 8, 2024 · ada94fc · ada94fc
1 parent 12e3dbe
commit ada94fc
Showing 1 changed file with 21 additions and 15 deletions.
diff --git a/.github/workflows/build-push-images.yml b/.github/workflows/build-push-images.yml
@@ -55,21 +55,7 @@ jobs:
         id: build_image
         run: |
           docker compose build ${{ matrix.container }}
-      - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
-        id: trivy_scan
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: ${{ matrix.ecr_repository }}:latest
-          severity: "HIGH,CRITICAL"
-          format: "sarif"
-          output: "trivy-results.sarif"
-      - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
-        id: trivy_upload_sarif
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: "trivy-results.sarif"
-      - uses: unfor19/install-aws-cli-action@v1
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -85,6 +71,26 @@ jobs:
         with:
           mask-password: true
           registries: 311462405659
+
+      - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
+        id: trivy_scan
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: ${{ matrix.ecr_repository }}:latest
+          severity: "HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          vuln-type: 'os,library'
+      - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
+        id: trivy_upload_sarif
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
       - name: Push ${{ matrix.ecr_repository }} Image to ECR
         env:
           ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}